CVE-2024-39896
CVSS V2 None
CVSS V3 None
Description
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.
Overview
- CVE ID
- CVE-2024-39896
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-07-08T17:27:56.032Z
- Last Modified Date
- 2024-07-08T17:27:56.032Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v | x_refsource_CONFIRM |
| https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-39896 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39896 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-07-09 13:12:24 | Added to TrackCVE |