CVE-2023-27481 in Directus
Summary
by MITRE • 03/07/2023
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2023
The vulnerability CVE-2023-27481 affects Directus, a real-time API and application dashboard designed for managing SQL database content. This security flaw exists in versions prior to 9.16.0 and represents a significant information disclosure risk that stems from improper access controls and filter validation within the system's export functionality. The vulnerability specifically targets the `directus_users` table where the password field contains argon2 hashes that are typically protected from direct access. Attackers with read permissions to the password field can exploit this weakness through a combination of brute force techniques and the `_starts_with` filter operator to systematically enumerate password hashes, effectively bypassing the intended security measures that should protect these sensitive credentials.
The technical implementation of this vulnerability involves the exploitation of the export functionality's filtering capabilities combined with string-based operators that should normally be restricted for sensitive fields. When users with read access to the password field attempt to export data using the `_starts_with` filter, the system fails to properly validate that such operations are prohibited for hashed or concealed fields. This design flaw allows attackers to perform iterative queries that progressively reveal password hash patterns through brute force enumeration techniques. The vulnerability is particularly concerning because it demonstrates a failure in the principle of least privilege and proper field-level access control, where sensitive fields that should be protected from even read operations are accessible through specific filter combinations.
The operational impact of this vulnerability extends beyond simple information disclosure as it creates a pathway for attackers to gather intelligence about user authentication mechanisms. While the hashes themselves cannot be directly reversed without significant computational resources, the enumeration process provides attackers with valuable information about password strength patterns and potentially allows for targeted attacks against specific user accounts. This vulnerability aligns with CWE-200, which addresses information exposure, and represents a failure in access control validation that could enable further exploitation attempts. The attack vector specifically relates to the ATT&CK technique T1213.002, which involves data from information repositories, and demonstrates how insufficient input validation can create unintended access paths within database systems.
The security patch implemented in version 9.16.0 addresses this vulnerability by introducing stricter validation rules that prevent any hashed or concealed fields from being subjected to string operator filters such as `_starts_with`, `_contains`, or similar pattern matching operations. This fix implements a fundamental access control mechanism that ensures sensitive fields cannot be queried through potentially dangerous filter combinations regardless of user permissions. Organizations can also implement mitigations through configuration changes that remove read access to the password field from all users, effectively preventing the exploitation pathway entirely. The recommended remediation approach aligns with defense-in-depth strategies and proper privilege management principles that should be applied across all database systems to prevent similar information disclosure vulnerabilities.