CVE-2023-38503 : Security Advisory and Response
Learn about CVE-2023-38503 impacting Directus versions >= 10.3.0 and < 10.5.0. Discover the vulnerability allowing unauthorized users to access sensitive data through GraphQL subscriptions.
Directus has Incorrect Permission Checking for GraphQL Subscriptions.
Understanding CVE-2023-38503
Directus, a real-time API and App dashboard for managing SQL database content, is affected by a vulnerability where permission filters are not properly checked for GraphQL subscriptions, allowing unauthorized users to receive event updates that they should not have access to. This issue affects versions >= 10.3.0 and < 10.5.0.
What is CVE-2023-38503?
In CVE-2023-38503, Directus versions starting from 10.3.0 up to version 10.5.0 have a security flaw where the permission filters for GraphQL subscriptions are not adequately verified. This results in unauthorized users being able to receive event updates through their subscriptions, breaching data confidentiality.
The Impact of CVE-2023-38503
The impact of CVE-2023-38503 is that unauthorized actors can access sensitive information through GraphQL subscriptions in Directus, compromising data confidentiality. This can lead to potential data leaks and privacy violations.
Technical Details of CVE-2023-38503
The vulnerability in Directus is due to the incorrect permission checking for GraphQL subscriptions. Here are the technical details:
Vulnerability Description
Starting from version 10.3.0 and prior to version 10.5.0, the permission filters are not adequately verified, allowing unauthorized users to receive event updates on their subscriptions.
Affected Systems and Versions
Directus versions affected by this vulnerability are >= 10.3.0 and < 10.5.0. Users of these versions are at risk of unauthorized access to sensitive information through GraphQL subscriptions.
Exploitation Mechanism
Unauthorized users can exploit this vulnerability by subscribing to GraphQL events and receiving updates on sensitive information they do not have permission to access.
Mitigation and Prevention
To mitigate the risk associated with CVE-2023-38503, immediate steps need to be taken, followed by adopting long-term security practices:
Immediate Steps to Take
- Disable GraphQL subscriptions as a temporary workaround to prevent unauthorized access to sensitive data.
Long-Term Security Practices
- Upgrade to version 10.5.0 or newer, which contains a patch for this vulnerability.
Patching and Updates
Regularly update Directus to the latest version to ensure that security patches are applied and vulnerabilities are addressed promptly.