CVE-2023-26492
published 2023-03-03CVE-2023-26492: Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.96%
57.1th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 9.23.0 | 9.23.0 |
| directus | directus | >= 0 < 9.23.0 | 9.23.0 |
| monospace | directus | < 9.23.0 | 9.23.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directus vulnerable to Server-Side Request Forgery On File Import
ghsa·2023-03-03·CVSS 5.0
CVE-2023-26492 [MEDIUM] CWE-918 Directus vulnerable to Server-Side Request Forgery On File Import
Directus vulnerable to Server-Side Request Forgery On File Import
### Summary
Directus versions (encodeURL(importURL), {
responseType: 'stream',
});
} catch (err: any) {
logger.warn(err, `Couldn't fetch file from url "${importURL}"`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
```
However, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when `axios` is called, the name server resolves the domain name to a local IP address.
### PoC
To demonstrate we will be using an online tool nam
OSV
Directus vulnerable to Server-Side Request Forgery On File Import
osv·2023-03-03·CVSS 5.0
CVE-2023-26492 [MEDIUM] Directus vulnerable to Server-Side Request Forgery On File Import
Directus vulnerable to Server-Side Request Forgery On File Import
### Summary
Directus versions (encodeURL(importURL), {
responseType: 'stream',
});
} catch (err: any) {
logger.warn(err, `Couldn't fetch file from url "${importURL}"`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
```
However, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when `axios` is called, the name server resolves the domain name to a local IP address.
### PoC
To demonstrate we will be using an online tool nam
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbffhttps://github.com/directus/directus/releases/tag/v9.23.0https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537hhttps://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbffhttps://github.com/directus/directus/releases/tag/v9.23.0https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h
2023-03-03
Published