CVE-2024-45596: Session is cached for OpenID and OAuth2 if `redirect` is not used
Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string.
For example:
- Project is configured with OpenID or OAuth2
- Project is configured with cache enabled
- User tries to login via SSO link, but without
redirectquery string - After successful login, credentials are cached
- If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user
The SSO link is something like https://directus.example.com/auth/login/openid/callback, where openid is the name of the OpenID provider configured in Directus
References
- github.com/advisories/GHSA-cff8-x7jv-4fm8
- github.com/directus/directus
- github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts
- github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts
- github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
- github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
- github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
- nvd.nist.gov/vuln/detail/CVE-2024-45596
Detect and mitigate CVE-2024-45596 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →