GHSA-g27j-74fp-xfpr

Source

https://github.com/advisories/GHSA-g27j-74fp-xfpr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g27j-74fp-xfpr/GHSA-g27j-74fp-xfpr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-g27j-74fp-xfpr

Aliases

CVE-2022-26969

Published

2022-04-05T18:31:22Z

Modified

2025-04-14T22:07:39Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Insecure default value for CORS configuration

Details

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory: * Open an issue in directus/directus * Email us at security@directus.io

Database specific

{
    "nvd_published_at": "2022-12-26T06:15:00Z",
    "cwe_ids": [
        "CWE-942"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-05T18:31:22Z"
}

References

Affected packages

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.7.0