Impact
What kind of vulnerability is it? Who is impacted?
Users with read access to the password field in directus_users can extract the argon2 password hashes by brute forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been patched by preventing any hashed/concealed field to be filtered against with the _starts_with or other string operator.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Ensuring that no user has read access to the password field in directus_users is sufficient to prevent this vulnerability.
References
Are there any links users can visit to find out more?
#14829 & #15010
For more information
If you have any questions or comments about this advisory:
Credit
Erik van Oosbree & Witold Gorecki
Impact
What kind of vulnerability is it? Who is impacted?
Users with read access to the
passwordfield indirectus_userscan extract the argon2 password hashes by brute forcing the export functionality combined with a_starts_withfilter. This allows the user to enumerate the password hashes.Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been patched by preventing any hashed/concealed field to be filtered against with the
_starts_withor other string operator.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Ensuring that no user has
readaccess to thepasswordfield indirectus_usersis sufficient to prevent this vulnerability.References
Are there any links users can visit to find out more?
#14829 & #15010
For more information
If you have any questions or comments about this advisory:
Credit
Erik van Oosbree & Witold Gorecki