Listen to this Post
The CVE-2024-28819 vulnerability is an information disclosure flaw in the Directus REST API. It functions by analyzing the distinct error messages returned by the `/items/{collection}` endpoint. When an unauthenticated or low-privileged user sends a request to a collection that exists but they lack permission to access, the API returns a detailed JSON error message explicitly naming the forbidden collection. Conversely, when a request is made for a collection that does not exist at all, the API returns a more generic error message that omits the collection name. This observable discrepancy in error verbosity allows an attacker to enumerate and confirm the existence of collection names within the Directus instance by systematically probing the endpoint and comparing the server’s responses. The attacker can map out the application’s data structure without proper authorization.
Platform: Directus
Version: < 10.8.0
Vulnerability: Information Disclosure
Severity: Medium
date: 2024-03-06
Prediction: Patch available
What Undercode Say:
`curl -X GET http://localhost:8055/items/restricted_collection`
`curl -X GET http://localhost:8055/items/nonexistent_collection`
`diff error1.json error2.json`
How Exploit:
Send enumeration requests.
Compare error responses.
Map existing collections.
Protection from this CVE
Update to version 10.8.0.
Implement uniform error messages.
Apply access control checks.
Impact:
Collection name leakage.
Unauthorized information disclosure.
Reconnaissance facilitation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
