CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
directus is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper error handling when using SSO providers in combination with local authentication. An attacker can determine if an email address belongs to an SSO user by observing the error message provided by Directus, resulting in SSO username enumeration.