Skip to content

Extract password hashes through export querying

Moderate
br41nslug published GHSA-m5q3-8wgf-x8xf Mar 7, 2023

Package

npm directus (npm)

Affected versions

< 9.16.0

Patched versions

9.16.0

Description

Impact

What kind of vulnerability is it? Who is impacted?

Users with read access to the password field in directus_users can extract the argon2 password hashes by brute forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem has been patched by preventing any hashed/concealed field to be filtered against with the _starts_with or other string operator.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Ensuring that no user has read access to the password field in directus_users is sufficient to prevent this vulnerability.

References

Are there any links users can visit to find out more?

#14829 & #15010

For more information

If you have any questions or comments about this advisory:

Credit

Erik van Oosbree & Witold Gorecki

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2023-27481

Weaknesses

Credits