Directus is a widely used real-time API and App dashboard designed to facilitate the management of SQL database content. A critical security vulnerability, identified as CVE-2024-54151, has been reported in Directus versions 11.. through 11.2.9. If the WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH settings are set to "public," an unauthenticated user can perform supported operations such as CRUD (create, read, update, and delete) and subscriptions with full admin privileges.

The following post provides an in-depth analysis of this vulnerability, with relevant code snippets, links to original references, and exploit details.

Exploit Details

Affected Directus instances have either the WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH setting configured as public. As a result, unauthenticated users can subscribe to changes on any collection or carry out REST CRUD operations on user-defined collections, ignoring any set permissions.

For example, an attacker can create a new item in a Directus collection using the following WebSocket request:

{
  "action": "create",
  "payload": {
    "collection": "target_collection",
    "data": {
      "field1": "value1",
      "field2": "value2",
      /* ... */
    }
  }
}

Or use the following GraphQL request to retrieve items from a collection

query {
  items(collection: "target_collection") {
    field1
    field2
    /* ... */
  }
}

This vulnerability exposes sensitive data to unauthorized users and allows them to manipulate or delete critical data, potentially leading to severe consequences.

Original References

1. Directus GitHub Issue #10259: A GitHub issue detailing the vulnerability and its discovery.
2. Directus Version 11.3. Changelog: The official changelog for Directus version 11.3., which addresses the security vulnerability.
3. Directus Security Advisory: The official security advisory regarding CVE-2024-54151.

Solution

To mitigate this vulnerability, it is crucial to update to Directus version 11.3. or later. Additionally, review and apply the proper access controls for both WEBSOCKETS_GRAPHQL_AUTH and WEBSOCKETS_REST_AUTH settings in the Directus setup, ensuring they are not set to public, and restrict access to authorized users.

Conclusion

CVE-2024-54151 is a critical security vulnerability impacting Directus instances with either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public. This vulnerability allows unauthenticated users to perform various operations with full admin privileges, exposing sensitive data and potentially leading to significant harm.

Properly updating to Directus version 11.3. and ensuring strict access controls in the configuration settings can aid in mitigating this vulnerability. As with any software application, it is crucial to keep up to date with the latest security patches and follow best practices for securing sensitive data.

Stay informed on the latest security vulnerabilities and stay safe!

Timeline

Published on: 12/09/2024 21:15:08 UTC
Last modified on: 12/10/2024 18:15:42 UTC