GMS-2022-677: Duplicate of ./npm/directus/CVE-2022-26969.yml

April 5, 2022 (updated April 6, 2022)

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn’t been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project’s usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory:

Open an issue in directus/directus
Email us at security@directus.io

References

Detect and mitigate GMS-2022-677 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →