CVE-2024-39895 - Vulnerability Details - OpenCVE

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Monospace	Directus

Configuration 1 [-]

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8
https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4

History

Fri, 03 Jan 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Monospace Monospace directus
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:monospace:directus::::::node.js::*
Vendors & Products		Monospace Monospace directus

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-08T16:47:44.673Z

Updated: 2024-08-02T04:33:11.240Z

Reserved: 2024-07-02T19:37:18.599Z

Link: CVE-2024-39895

Vulnrichment

Updated: 2024-08-02T04:33:11.240Z

NVD

Status : Analyzed

Published: 2024-07-08T17:15:11.980

Modified: 2025-01-03T16:29:09.890

Link: CVE-2024-39895

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39895", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-02T19:37:18.599Z", "datePublished": "2024-07-08T16:47:44.673Z", "dateUpdated": "2024-08-02T04:33:11.240Z"}, "containers": {"cna": {"title": "Directus GraphQL Field Duplication Denial of Service (DoS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4"}, {"name": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 10.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:47:44.673Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0."}], "source": {"advisory": "GHSA-7hmh-pfrp-vcx4", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "monospace", "product": "directus", "cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.12.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T13:22:38.687877Z", "id": "CVE-2024-39895", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T16:40:10.539Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.240Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4"}, {"name": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "name": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "name": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.240Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39895", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T13:22:38.687877Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "vendor": "monospace", "product": "directus", "versions": [{"status": "affected", "version": "0", "lessThan": "10.12.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T13:26:26.580Z"}}], "cna": {"title": "Directus GraphQL Field Duplication Denial of Service (DoS)", "source": {"advisory": "GHSA-7hmh-pfrp-vcx4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 10.12.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "name": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "name": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:47:44.673Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39895", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:33:11.240Z", "dateReserved": "2024-07-02T19:37:18.599Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T16:47:44.673Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A7FA42AF-B23C-44DD-A402-9382A4E30AF0", "versionEndExcluding": "10.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0."}, {"lang": "es", "value": "Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Un ataque de denegaci\u00f3n de servicio (DoS) por duplicaci\u00f3n de campos en GraphQL es un tipo de ataque en el que un atacante aprovecha la flexibilidad de GraphQL para abrumar a un servidor solicitando el mismo campo varias veces en una sola consulta. Esto puede hacer que el servidor realice c\u00e1lculos redundantes y consuma recursos excesivos, lo que lleva a una denegaci\u00f3n de servicio para usuarios leg\u00edtimos. La solicitud al endpoint /graphql se env\u00eda al visualizar gr\u00e1ficos generados en un panel. Modificando los datos enviados y duplicando muchas veces los campos es posible un ataque DoS. Esta vulnerabilidad se solucion\u00f3 en 10.12.0."}], "id": "CVE-2024-39895", "lastModified": "2025-01-03T16:29:09.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-08T17:15:11.980", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}