CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
9.2%
When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a “helpful” error that the user belongs to another provider.
[email protected]
.APP | API |
---|---|
APP | API |
---|---|
When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable AUTH_DISABLE_DEFAULT="true"
Implemented as feature in https://github.com/directus/directus/pull/13184
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account