GHSA-8vg2-wf3q-mwv7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8vg2-wf3q-mwv7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8vg2-wf3q-mwv7/GHSA-8vg2-wf3q-mwv7.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8vg2-wf3q-mwv7
- Aliases
- Published
- 2023-03-23T19:47:12Z
- Modified
- 2023-11-01T05:01:41.499867Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- directus vulnerable to Insertion of Sensitive Information into Log File
- Details
-
Summary
CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The
directus_refresh_tokenis not redacted properly from the log outputs and can be used to impersonate users without their permission.Details
Using
v9.23.1, I am seeing that thedirectus_refresh_tokenis not properly redacted as indicated by https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13I'm classifying this as a security vulnerability because if someone has access to the log outputs, for example with a shared Cloud account or Splunk implementation, they could exchange the refresh token using
/auth/refreshfor an access token and use the token to perform actions on behalf of an unsuspecting user. This situation creates issues with accountability and non-repudiation because we can no longer have confidence that actions taken in the application were authorized or even performed by the logged-in user.A couple of examples of this are: - A disgruntled employee deletes all of the data to get even with a target team member before logging off on their last day - Under the guise of their unsuspecting boss, a mischievous engineer uploads questionable images that get displayed on internal or external facing content sites
The list could go on but I think these communicate the risk of an internal threat that has access to this information 😆
PoC
- Set
LOG_STYLE="raw"and run Directus v9.23.1 - Log in to the application
Look at the shell output and see that
directus_refresh_tokenis loggedNote: This is different from the standard
rawoutput format. I intentionally ran this withnpx directus start | pino-prettyso logs would be easier to read. It can also be reproduced by runningnpx directus startalone.
Exchange the
directus_refresh_tokenfor anaccess_tokencurl -X POST \ 'http://0.0.0.0:8055/auth/refresh' \ --header 'Accept: */*' \ --header 'Cookie: directus_refresh_token=$shh'
Impact
Because this can be used to exploit other threats related to CWE-284: Improper Access Control I rank it with a Moderate severity. An insider with knowledge of this could do many mischievous things and get away with them for a long time without victims knowing about it.
- Set
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2023-03-23T19:47:12Z", "cwe_ids": [ "CWE-284", "CWE-532" ], "nvd_published_at": "2023-03-24T00:15:00Z", "severity": "MODERATE" }- References
-
- https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
- https://nvd.nist.gov/vuln/detail/CVE-2023-28443
- https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc
- https://github.com/directus/directus
- https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13
Affected packages
npm / directus
Package
- Name
- directus
- View open source insights on deps.dev
- Purl
- pkg:npm/directus