CVE-2024-45596
published 2024-09-10CVE-2024-45596: Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via…
PriorityP340medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.62%
45.1th percentile
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | api | >= 0 < 21.0.1 | 21.0.1 |
| directus | api | >= 22.0.0 < 22.2.0 | 22.2.0 |
| directus | directus | < 10.13.3 | 10.13.3 |
| directus | directus | — | — |
| directus | directus | >= 0 < 10.13.3 | 10.13.3 |
| directus | directus | >= 11.0.0-rc.1 < 11.1.0 | 11.1.0 |
| monospace | directus | < 10.13.3 | 10.13.3 |
| monospace | directus | >= 11.0.0 < 11.1.0 | 11.1.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Session is cached for OpenID and OAuth2 if `redirect` is not used
osv·2024-09-10
CVE-2024-45596 [HIGH] Session is cached for OpenID and OAuth2 if `redirect` is not used
Session is cached for OpenID and OAuth2 if `redirect` is not used
### Summary
Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include `redirect` query string.
For example:
- Project is configured with OpenID or OAuth2
- Project is configured with cache enabled
- User tries to login via SSO link, but without `redirect` query string
- After successful login, credentials are cached
- If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user
The SSO link is something like `https://directus.example.com/auth/login/openid/callback`, where `openid` is the name of the OpenID provider configured in Directus
### Details
This happens because on that endpoint for both
GHSA
Session is cached for OpenID and OAuth2 if `redirect` is not used
ghsa·2024-09-10
CVE-2024-45596 [HIGH] CWE-384 Session is cached for OpenID and OAuth2 if `redirect` is not used
Session is cached for OpenID and OAuth2 if `redirect` is not used
### Summary
Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include `redirect` query string.
For example:
- Project is configured with OpenID or OAuth2
- Project is configured with cache enabled
- User tries to login via SSO link, but without `redirect` query string
- After successful login, credentials are cached
- If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user
The SSO link is something like `https://directus.example.com/auth/login/openid/callback`, where `openid` is the name of the OpenID provider configured in Directus
### Details
This happens because on that endpoint for both
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-10
Published