CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1 - Patch () https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1 - Patch
References () https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw - Exploit, Vendor Advisory () https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw - Exploit, Vendor Advisory

09 Jul 2024, 14:37

Type Values Removed Values Added
CPE cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*
Summary
  • (es) Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Ya se informó de una vulnerabilidad SSRF mediante la importación de archivos. Se solucionó resolviendo todos los nombres DNS y verificando si la IP solicitada es una dirección IP interna. Sin embargo, es posible saltarse esta medida de seguridad y ejecutar un SSRF mediante redireccionamientos. Directus permite redireccionamientos al importar archivos desde la URL y no verifica la URL del resultado. Así, es posible ejecutar una solicitud a una IP interna, por ejemplo a 127.0.0.1. Sin embargo, es SSRF ciego, porque Directus también utiliza la técnica de interceptación de respuestas para obtener la información sobre la conexión desde el socket directamente y no muestra una respuesta si la dirección IP es interna. Esta vulnerabilidad se solucionó en 10.9.3.
References () https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1 - () https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1 - Patch
References () https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw - () https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw - Exploit, Vendor Advisory
First Time Monospace
Monospace directus

08 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-08 16:15

Updated : 2024-11-21 09:28


NVD link : CVE-2024-39699

Mitre link : CVE-2024-39699

CVE.ORG link : CVE-2024-39699


JSON object : View

Products Affected

monospace

  • directus
CWE
CWE-918

Server-Side Request Forgery (SSRF)