CVE-2022-26969
published 2022-12-26CVE-2022-26969: In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
PriorityP343critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.93%
56.0th percentile
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | >= 0 < 9.7.0 | 9.7.0 |
| monospace | directus | < 9.7.0 | 9.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Insecure default value for CORS configuration
ghsa·2022-04-05
CVE-2022-26969 [CRITICAL] CWE-942 Insecure default value for CORS configuration
Insecure default value for CORS configuration
### Impact
The default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.
### Patches
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
### Workarounds
Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [directus/directus](https://github.com/directus/directus)
* Email us at [[email protected]](mailto:[email protected])
OSV
Insecure default value for CORS configuration
osv·2022-04-05
CVE-2022-26969 [CRITICAL] Insecure default value for CORS configuration
Insecure default value for CORS configuration
### Impact
The default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.
### Patches
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
### Workarounds
Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [directus/directus](https://github.com/directus/directus)
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORShttps://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.mdhttps://github.com/directus/directus/pull/12022https://github.com/directus/directus/releases/tag/v9.7.0https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822https://developer.mozilla.org/en-US/docs/Web/HTTP/CORShttps://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.mdhttps://github.com/directus/directus/pull/12022https://github.com/directus/directus/releases/tag/v9.7.0https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822
2022-12-26
Published