CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
57.7%
The default value for the CORS_ENABLED
and CORS_ORIGIN
configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn’t been changed.
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
Configure the CORS environment variables to match your project’s usage, rather than leaving them at the (permissive) defaults.
If you have any questions or comments about this advisory:
developer.mozilla.org/en-US/docs/Web/HTTP/CORS
github.com/advisories/GHSA-g27j-74fp-xfpr
github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
github.com/directus/directus/pull/12022
github.com/directus/directus/releases/tag/v9.7.0
github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr
nvd.nist.gov/vuln/detail/CVE-2022-26969
security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822