CVE-2023-27481: Directus vulnerable to extraction of password hashes through export querying
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4401%
CWE
Published
3/8/2023
Updated
3/26/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| directus | npm | < 9.16.0 | 9.16.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key points: 1) Filter processing logic allowing string operators on hashed fields, and 2) GraphQL type definitions not properly restricting operators for concealed fields. The patches in PR#14829 and PR#15010 explicitly address these by introducing operator allow-list checks and specialized GraphQLHash types. While exact function names aren't visible in diffs, the pattern matches Directus' architecture where items service handles filtering and GraphQL types define field capabilities. The combination of these two components being improperly configured would directly enable the described hash extraction attack.