CVE-2024-27295 in Directusinfo

Summary

by MITRE • 03/01/2024

Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/03/2025

The vulnerability identified as CVE-2024-27295 affects Directus, a real-time API and application dashboard designed for managing SQL database content. This security flaw resides within the password reset mechanism of the Directus backend system, creating a significant authentication bypass opportunity for malicious actors. The issue stems from the underlying database configuration where MySQL or MariaDB instances are defaulted to accent-insensitive and case-insensitive comparison settings, which inadvertently allows attackers to exploit the system's email validation process.

The technical implementation of this vulnerability exploits the fundamental database configuration where character encoding comparisons do not distinguish between accented and non-accented characters. When a user requests a password reset, the system checks if the provided email address exists in the database. Due to the database's accent-insensitive configuration, an attacker can substitute regular characters with accented versions, creating an email address that appears different but is considered equivalent by the database system. This allows the attacker to receive password reset emails intended for legitimate users, effectively enabling account takeover attempts.

The operational impact of this vulnerability extends beyond simple account compromise as it represents a sophisticated social engineering attack vector that leverages database configuration weaknesses rather than traditional security flaws. Attackers can systematically test variations of target email addresses by introducing accented characters, potentially gaining unauthorized access to multiple user accounts. This vulnerability particularly affects organizations that rely heavily on Directus for content management and user authentication, as it undermines the fundamental security assumptions of email-based account recovery mechanisms.

Security practitioners should note that this vulnerability aligns with CWE-200, which addresses information exposure, and represents a specific implementation weakness in how the system handles character comparisons during authentication processes. The ATT&CK framework categorizes this under privilege escalation and credential access techniques, specifically targeting the credential access phase where attackers seek to obtain valid credentials through account takeover methods. Organizations utilizing Directus must ensure their database configurations properly handle character comparisons to prevent such bypasses, particularly when dealing with internationalized email addresses and user accounts.

The fix implemented in Directus version 10.8.3 addresses this issue through proper database configuration adjustments and enhanced validation mechanisms that enforce strict character comparison rules. System administrators should review their database collation settings and ensure that accent-sensitive comparisons are enforced where appropriate, particularly in authentication and verification processes. Additionally, implementing rate limiting and monitoring for password reset requests can help detect and prevent abuse of this vulnerability, while regular security audits should verify that all database configurations align with security best practices and do not inadvertently enable character comparison bypasses.

Responsible

GitHub, Inc.

Reservation

02/22/2024

Disclosure

03/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00702

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!