Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency directus to v10.11.2 [security] #81

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency directus to v10.11.2 [security] #81

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 13, 2024
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
directus (source) 10.10.7 -> 10.11.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34708

Summary

A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API.
Normally, these redacted fields will return ********** however if we change the request to ?alias[workaround]=redacted we can instead retrieve the plain text value for the field.

Steps to reproduce

  • Set up a simple role with read-access to users.
  • Create a new user with the role from the previous step
  • Assign a password to the user

The easiest way to confirm this vulnerability is by first visiting /users/me. You should be presented with a redacted JSON-object.
Next, visit /users/me?alias[hash]=password. This time, the returned JSON object will included the raw password hash instead of the redacted value.

Workaround

This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them.

CVE-2024-34709

Summary

Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.
When authenticating a session token JWT, Directus should also check whether the associated directus_session both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.

Steps to reproduce

  • Copy the current session token from the cookie
  • Refresh and or log out
  • Use the saved session token to check if it is still valid

Impact

The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.

CVE-2024-36128

Describe the Bug

Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID.

To Reproduce

  1. Test if the endpoint is working and accessible, GET http://localhost:8055/utils/random/string
  2. Do a bad request GET http://localhost:8055/utils/random/string?length=foo
  3. After this all calls to GET http://localhost:8055/utils/random/string will return an empty string instead of a random string
  4. In this error situation you'll see authentication refreshes fail for the app and api.

Impact

This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.

Release Notes

directus/directus (directus)

v10.11.2

Compare Source

✨ New Features & Improvements
🐛 Bug Fixes & Optimizations
📦 Published Versions

v10.11.1

Compare Source

🐛 Bug Fixes & Optimizations
📦 Published Versions

v10.11.0

Compare Source

⚠️ Potential Breaking Changes

Fixed API queries with the search parameter to return no results if the query is not applicable to any fields (#​22342)
Previously, the API returned all items for collections where the search parameter was not applicable to any fields. Now the API returns no items in such a case.

  • @​directus/sdk
    • Made the SDK realtime composable compatible with React Native, the WebSocket client will now be initialized with the URL as string instead of URL (#​22105 by @​paescuj)
✨ New Features & Improvements
🐛 Bug Fixes & Optimizations
📦 Published Versions

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title fix(deps): update dependency directus to v10.11.0 [security] fix(deps): update dependency directus to v10.11.2 [security] Jun 4, 2024
@renovate renovate bot force-pushed the renovate/npm-directus-vulnerability branch from e80c77b to 573041e Compare June 4, 2024 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants