CVE-2024-54151
published 2024-12-09CVE-2024-54151: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.58%
43.2th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | api | >= 22.2.0 < 23.2.0 | 23.2.0 |
| directus | directus | — | — |
| directus | directus | >= 11.0.0 < 11.3.0 | 11.3.0 |
| monospace | directus | >= 11.0.0 < 11.3.0 | 11.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directus allows unauthenticated access to WebSocket events and operations
osv·2024-12-09
CVE-2024-54151 [HIGH] Directus allows unauthenticated access to WebSocket events and operations
Directus allows unauthenticated access to WebSocket events and operations
### Summary
When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.
### Details
Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users.
### PoC
1. Start directus with
```bash
WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public
```
2. Subscribe using GQL or REST or do
GHSA
Directus allows unauthenticated access to WebSocket events and operations
ghsa·2024-12-09
CVE-2024-54151 [HIGH] CWE-200 Directus allows unauthenticated access to WebSocket events and operations
Directus allows unauthenticated access to WebSocket events and operations
### Summary
When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.
### Details
Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users.
### PoC
1. Start directus with
```bash
WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public
```
2. Subscribe using GQL or REST or do
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-09
Published