CVE-2023-27481
Directus vulnerable to extraction of password hashes through export querying
Description
### Impact Users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. ### Patches The problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator. ### Workarounds Ensuring that no user has `read` access to the `password` field in `directus_users` is sufficient to prevent this vulnerability. ### For more information If you have any questions or comments about this advisory: * Open a Discussion in [directus/directus](https://github.com/directus/directus/discussions/new) * Email us at [security@directus.io](mailto:security@directus.io)
How to fix CVE-2023-27481
To remediate CVE-2023-27481, upgrade the affected package to a fixed version below.
- —upgrade to 9.16.0 or later
Is CVE-2023-27481 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.16.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |