CVE-2021-29641 - OpenCVE

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rangerstudio	Directus

Configuration 1 [-]

cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html
http://seclists.org/fulldisclosure/2021/Apr/14
https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore
https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/
https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-07T21:31:45

Updated: 2024-08-03T22:11:06.112Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29641

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-07T22:15:14.973

Modified: 2021-04-13T12:03:06.957

Link: CVE-2021-29641

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-07T23:06:26", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore"}, {"name": "20210407 SEC Consult SA-20210407-0 :: Arbitrary File Upload and Bypassing .htaccess Rules in Monospace Directus Headless CMS", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Apr/14"}, {"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29641", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore", "refsource": "MISC", "url": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore"}, {"name": "20210407 SEC Consult SA-20210407-0 :: Arbitrary File Upload and Bypassing .htaccess Rules in Monospace Directus Headless CMS", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Apr/14"}, {"name": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "refsource": "MISC", "url": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"name": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "refsource": "MISC", "url": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"name": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:11:06.112Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore"}, {"name": "20210407 SEC Consult SA-20210407-0 :: Arbitrary File Upload and Bypassing .htaccess Rules in Monospace Directus Headless CMS", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2021/Apr/14"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29641", "datePublished": "2021-04-07T21:31:45", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:11:06.112Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*", "matchCriteriaId": "25C32EC9-72A3-4EF5-B67C-461B26AE84EB", "versionEndExcluding": "8.8.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com)."}, {"lang": "es", "value": "Directus 8 versiones anteriores a 8.8.2, permite a los usuarios autenticados remotamente ejecutar c\u00f3digo arbitrario porque los permisos de carga de archivos incluyen la capacidad de cargar un archivo .php en el directorio de carga principal y/o cargar un archivo .php y un archivo .htaccess en un subdirectorio. La explotaci\u00f3n tiene \u00e9xito solo para ciertas instalaciones con el servidor HTTP Apache y el controlador de almacenamiento local (por ejemplo, cuando el producto se obtuvo de hub.docker.com)"}], "id": "CVE-2021-29641", "lastModified": "2021-04-13T12:03:06.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-07T22:15:14.973", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Apr/14"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}