CVE-2024-54151
Directus allows unauthenticated access to WebSocket events and operations
Description
### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. ### Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users. ### PoC 1. Start directus with ```bash WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public ``` 2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) ```gql subscription { directus_users_mutated { key event data { id email first_name last_name password } } } ``` or ```json { "type": "items", "action": "read", "collection": "your_collection_name" } ``` 3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users `last_page` gets updated, the `password` fields is properly redacted here) 3b. Observe receiving all available items from the `your_collection_name` collection. ### Impact This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.
How to fix CVE-2024-54151
To remediate CVE-2024-54151, upgrade the affected package to a fixed version below.
- —upgrade to 11.3.0 or later
- —upgrade to 23.2.0 or later
Is CVE-2024-54151 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.