CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1	Patch
https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-08 16:15

Updated : 2024-07-09 14:37

NVD link : CVE-2024-39699

Mitre link : CVE-2024-39699

CVE.ORG link : CVE-2024-39699

JSON object : View

Products Affected

monospace

directus

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-39699", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2024-07-08T16:15:08.917", "references": [{"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3."}, {"lang": "es", "value": "Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Ya se inform\u00f3 de una vulnerabilidad SSRF mediante la importaci\u00f3n de archivos. Se solucion\u00f3 resolviendo todos los nombres DNS y verificando si la IP solicitada es una direcci\u00f3n IP interna. Sin embargo, es posible saltarse esta medida de seguridad y ejecutar un SSRF mediante redireccionamientos. Directus permite redireccionamientos al importar archivos desde la URL y no verifica la URL del resultado. As\u00ed, es posible ejecutar una solicitud a una IP interna, por ejemplo a 127.0.0.1. Sin embargo, es SSRF ciego, porque Directus tambi\u00e9n utiliza la t\u00e9cnica de interceptaci\u00f3n de respuestas para obtener la informaci\u00f3n sobre la conexi\u00f3n desde el socket directamente y no muestra una respuesta si la direcci\u00f3n IP es interna. Esta vulnerabilidad se solucion\u00f3 en 10.9.3."}], "lastModified": "2024-07-09T14:37:55.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7EF259E-D347-4839-8415-71B2588FD7DE", "versionEndExcluding": "10.9.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}