Sensitive Information Disclosure

2024-07-0907:59:40

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

directus

sensitive information disclosure

sso

local authentication

error handling

attacker

email address

username enumeration

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

JSON

directus is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper error handling when using SSO providers in combination with local authentication. An attacker can determine if an email address belongs to an SSO user by observing the error message provided by Directus, resulting in SSO username enumeration.