What is the severity of CVE-2024-39896?

The severity of CVE-2024-39896 is classified as a medium risk due to potential user enumeration via SSO methods.

How do I fix CVE-2024-39896?

To mitigate CVE-2024-39896, upgrade to Directus version 10.13.0 or later.

What types of systems are affected by CVE-2024-39896?

CVE-2024-39896 affects Directus versions between 9.11.0 and 10.12.9 as well as earlier versions.

What specific vulnerability does CVE-2024-39896 address?

CVE-2024-39896 addresses the issue of user enumeration when using SSO providers combined with local authentication.

Does CVE-2024-39896 impact all SSO providers?

CVE-2024-39896 specifically impacts systems using known SSO providers integrated with Directus.

Vulnerability/
CVE-2024-39896

high

7.5

CWE

200

8/7/2024

3/1/2025

CVE-2024-39896: Directus allows SSO User Enumeration

First published: Mon Jul 08 2024(Updated: )

### Impact When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. ### Reproduction 1. Create a user using a SSO provider `test@directus.io`. 2. Try to log-in using the regular login form (or the API) 3. When using a valid email address | **APP** | **API** | | --- | --- | | ![image](https://github.com/directus/directus/assets/9389634/1da3301d-226f-46a7-bfb8-3f6fb9bc55cd) | ![image](https://github.com/directus/directus/assets/9389634/50cab310-7d1c-4241-a6be-d06542565767) | 4. When using an invalid email address | **APP** | **API** | | --- | --- | | ![image](https://github.com/directus/directus/assets/9389634/7b97659e-b49c-410b-872e-e36786b6e41e) | ![image](https://github.com/directus/directus/assets/9389634/d26ccba7-bb27-437e-991e-99c10941bbe7) | 5. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user. ### Workarounds When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable `AUTH_DISABLE_DEFAULT="true"` ### References Implemented as feature in https://github.com/directus/directus/pull/13184 https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
npm/directus	>=9.11<10.13.0	10.13.0
Directus	<10.13.0

Remedy

https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-39896?
The severity of CVE-2024-39896 is classified as a medium risk due to potential user enumeration via SSO methods.
How do I fix CVE-2024-39896?
To mitigate CVE-2024-39896, upgrade to Directus version 10.13.0 or later.
What types of systems are affected by CVE-2024-39896?
CVE-2024-39896 affects Directus versions between 9.11.0 and 10.12.9 as well as earlier versions.
What specific vulnerability does CVE-2024-39896 address?
CVE-2024-39896 addresses the issue of user enumeration when using SSO providers combined with local authentication.
Does CVE-2024-39896 impact all SSO providers?
CVE-2024-39896 specifically impacts systems using known SSO providers integrated with Directus.

agent/title
agent/weakness
agent/type
agent/first-publish-date
agent/references
agent/description
agent/event
agent/author
collector/nvd-cve
source/NVD
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-jgf4-vwc3-r46v
alias/CVE-2024-39896
agent/software-canonical-lookup
collector/github-advisory
agent/trending
agent/severity
agent/last-modified-date
agent/remedy
agent/softwarecombine
agent/source
agent/tags
collector/nvd-api
agent/software-canonical-lookup-request
package-manager/npm
vendor/monospace
canonical/directus

Frequently Asked Questions

What is the severity of CVE-2024-39896?
The severity of CVE-2024-39896 is classified as a medium risk due to potential user enumeration via SSO methods.
How do I fix CVE-2024-39896?
To mitigate CVE-2024-39896, upgrade to Directus version 10.13.0 or later.
What types of systems are affected by CVE-2024-39896?
CVE-2024-39896 affects Directus versions between 9.11.0 and 10.12.9 as well as earlier versions.
What specific vulnerability does CVE-2024-39896 address?
CVE-2024-39896 addresses the issue of user enumeration when using SSO providers combined with local authentication.
Does CVE-2024-39896 impact all SSO providers?
CVE-2024-39896 specifically impacts systems using known SSO providers integrated with Directus.

CVE-2024-39896: Directus allows SSO User Enumeration

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-39896?

How do I fix CVE-2024-39896?

What types of systems are affected by CVE-2024-39896?

What specific vulnerability does CVE-2024-39896 address?

Does CVE-2024-39896 impact all SSO providers?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2024-39896?

How do I fix CVE-2024-39896?

What types of systems are affected by CVE-2024-39896?

What specific vulnerability does CVE-2024-39896 address?

Does CVE-2024-39896 impact all SSO providers?