===================================================================== CERT-Renater Note d'Information No. 2023/VULN330 _____________________________________________________________________ DATE : 20/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Directus versions prior to 10.6.0. ===================================================================== https://github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8 https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98 _____________________________________________________________________ VM2 Sandbox escape High br41nslug published GHSA-22rr-f3p8-5gf8 Package Directus (npm) Affected versions <10.6.0 Patched versions 10.6.0 Description Impact In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context. Patches Patched in v10.6.0 by replacing vm2 with isolated-vm Workarounds None References GHSA-cchq-frgv-rjh5 Severity High 7.6/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required High User interaction Required Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVE ID No known CVE Weaknesses No CWEs Credits @ganlhi ganlhi Reporter @Swatto Swatto Reporter @leesh3288 leesh3288 _____________________________________________________________________ Incorrect Permission Checking for GraphQL Subscriptions Moderate br41nslug published GHSA-gggm-66rh-pp98 Package Directus (npm) Affected versions >=10.3 Patched versions 10.5.0 Description Summary CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permissions rely on $CURRENT_USER for filtering. Details The permission filters (i.e. user_created IS $CURRENT_USER) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the directus_users collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. An example: subscription { directus_users_mutated { event data { id last_access last_page } } } Patches #19155 Workarounds Disable GraphQL Subscriptions References Severity Moderate 5.7/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE ID CVE-2023-38503 Weaknesses CWE-200 Credits @madc madc ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================