@directus/api (>=16.0.0 <=19.2.0), directus (>=10.9.0 <=10.11.2) +3 more potentially affected by CVE-2024-39895 via @directus/env (>=1.0.0 <=1.1.5)

@directus/env NPM version =1.0.0, =16.0.0, =10.9.0, =1.2.0, =10.10.4, =18.2.1-q1, =19.0.3-quantum.2 Source cves: CVE-2024-39895 Source advisory: OSV:GHSA-7HMH-PFRP-VCX4...

GHSA-7HMH-PFRP-VCX4 Directus GraphQL Field Duplication Denial of Service (DoS)

Summary A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and...

Directus incorrectly handles `_in` filter

Summary Directus =9.23.0, .role matches any of ". Which should fail. This instead passes in Directus =v9.23.0 PoC "role": "in": $CURRENTUSER.somefield field validation would pass if $CURRENTUSER.somefield is null. Real scenario: Using https://github.com/u12206050/directus-extension-role-chooser...

GHSA-HXGM-GHMV-XJJM Directus incorrectly handles `_in` filter

Summary Directus =9.23.0, .role matches any of ". Which should fail. This instead passes in Directus =v9.23.0 PoC "role": "in": $CURRENTUSER.somefield field validation would pass if $CURRENTUSER.somefield is null. Real scenario: Using https://github.com/u12206050/directus-extension-role-chooser...

CVE-2024-39896

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39896 Directus allows SSO User Enumeration

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39896 Directus allows SSO User Enumeration

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39896

Directus (real-time API/admin for SQL content) has a user-enumeration flaw when relying on SSO providers together with local login. If an email exists and belongs to a known SSO provider, Directus may emit a “helpful” error indicating the user belongs to another provider, enabling enumeration of ...

CVE-2024-39896 Directus allows SSO User Enumeration

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39895

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

CVE-2024-39701

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39895 Directus GraphQL Field Duplication Denial of Service (DoS)

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

CVE-2024-39895 Directus GraphQL Field Duplication Denial of Service (DoS)

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

CVE-2024-39895

Directus (graph-based API) is affected by a DoS via GraphQL field duplication. An attacker can craft a query to duplicate fields (e.g., GraphQL /graphql calls in dashboards), causing excessive resource usage and service unavailability. The vulnerability is fixed in Directus 10.12.0. Remediation: ...

CVE-2024-39895 Directus GraphQL Field Duplication Denial of Service (DoS)

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

CVE-2024-39701 Directus Incorrectly handles _in` filter

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39701

Directus (versions 9.23.0 through 10.5.3) improperly handles the _in and _nin operators by evaluating empty arrays as valid, causing Broken Access Control where a rule like {"role": {"_in": $CURRENT_USER.some_field}} may pass unexpectedly. The issue is fixed in Directus 10.6.0. Affected deploymen...

CVE-2024-39701 Directus Incorrectly handles _in` filter

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39701 Directus Incorrectly handles _in` filter

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...