CVE-2023-38503 - Unauthorized Access to Directus User Data through GraphQL Subscriptions

Directus is a popular real-time API and App dashboard that is commonly used for managing SQL database content. However, a recent vulnerability has been discovered in the platform that could potentially jeopardize the privacy of user data. This vulnerability, designated as CVE-2023-38503, affects Directus versions 10.3. through 10.4.9.

The issue pertains to the improper handling of permission filters, specifically when using GraphQL subscriptions. In this post, we will explore the details of this vulnerability, and discuss potential workarounds and solutions.

Exploit Details

The crux of CVE-2023-38503 lies in the aforementioned permission filters. In Directus, permission filters are used to limit the scope of content a user can access and modify. For instance, one such filter might be set to restrict access to content created by the current user (i.e., user_created IS $CURRENT_USER).

However, the vulnerability arises when GraphQL subscriptions come into play. The permission filters are not properly checked when using said subscriptions, allowing unauthorized users to gain access to events that they should not be privy to. The significance of this issue is further compounded by the fact that, by default in Directus, the directus_users collection has such permission filters associated with it.

As a result, unauthorized users can potentially receive updates, and subsequently access data, of other users via GraphQL subscriptions. This opens the door to abuse, as bad actors can exploit this vulnerability to gain access to sensitive user data.

To illustrate the potential consequences of CVE-2023-38503, consider the following schema

subscription ($id: ID!) {
  user_changed(id: $id) {
    id
    email
    name
    hashed_password
  }
}

In this example, an attacker only needs to know a user's ID to subscribe to changes made to said user's data. The attacker will then receive updates whenever any change is made to the user's data, such as modifying their email, name, or hashed_password.

Mitigating CVE-2023-38503

Fortunately, Directus version 10.5. contains a patch that addresses CVE-2023-38503. As such, the easiest and most straightforward method to mitigate the risks of this vulnerability is to update to Directus 10.5..

However, if updating is not immediately feasible, another workaround is to disable GraphQL subscriptions. While this may impact certain functionalities, it will ensure that unauthorized access to user data is prevented.

Conclusion

CVE-2023-38503 is a noteworthy vulnerability in the Directus platform that could compromise user data privacy if not adequately addressed. By understanding the nature of the issue and taking the appropriate steps to update the software or disable GraphQL subscriptions, organizations and users can prevent unauthorized access to their data and maintain their privacy.

For more information about this vulnerability, the following resources can be referred to

- Original Directus GitHub Issue
- Directus Security Release Notes
- NVD CVE-2023-38503

Remember to keep your software up-to-date and stay informed of potential security vulnerabilities to ensure the safety and security of your data.

Timeline

Published on: 07/25/2023 23:15:00 UTC
Last modified on: 08/03/2023 15:33:00 UTC