Vulnerability Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Monospace | Directus | >= 10.3.0, < 10.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/directus/directus/pull/19155Patch
- https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98Vendor Advisory
- https://github.com/directus/directus/pull/19155Patch
- https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98Vendor Advisory
FAQ
What is CVE-2023-38503?
CVE-2023-38503 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) a...
How severe is CVE-2023-38503?
CVE-2023-38503 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-38503?
Check the references section above for vendor advisories and patch information. Affected products include: Monospace Directus.