6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27481

GHSA ID

GHSA-m5q3-8wgf-x8xf

EPSS Score

0.4401%

CWE

CWE-200

Published

3/8/2023

Updated

3/26/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27481

CVE-2023-27481: Directus vulnerable to extraction of password hashes through export querying

Impact

Users with read access to the password field in directus_users can extract the argon2 password hashes by brute forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.

Patches

The problem has been patched by preventing any hashed/concealed field to be filtered against with the _starts_with or other string operator.

Workarounds

Ensuring that no user has read access to the password field in directus_users is sufficient to prevent this vulnerability.

For more information

If you have any questions or comments about this advisory:

Open a Discussion in directus/directus
Email us at security@directus.io

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27481

GHSA ID

GHSA-m5q3-8wgf-x8xf

EPSS Score

0.4401%

CWE

CWE-200

Published

3/8/2023

Updated

3/26/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	< 9.16.0	9.16.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) Filter processing logic allowing string operators on hashed fields, and 2) GraphQL type definitions not properly restricting operators for concealed fields. The patches in PR#14829 and PR#15010 explicitly address these by introducing operator allow-list checks and specialized GraphQLHash types. While exact function names aren't visible in diffs, the pattern matches Directus' architecture where items service handles filtering and GraphQL types define field capabilities. The combination of these two components being improperly configured would directly enable the described hash extraction attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* r*** ****ss to t** `p*sswor*` *i*l* in `*ir**tus_us*rs` **n *xtr**t t** *r*on* p*sswor* **s**s *y *rut* *or*in* t** *xport *un*tion*lity *om*in** wit* * `_st*rts_wit*` *ilt*r. T*is *llows t** us*r to *num*r*t* t** p*sswor* **s*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) *ilt*r pro**ssin* lo*i* *llowin* strin* op*r*tors on **s*** *i*l*s, *n* *) *r*p*QL typ* ***initions not prop*rly r*stri*tin* op*r*tors *or *on***l** *i*l*s. T** p*t***s in PR#***** *n* PR#***** *xpli*it

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-27481: Directus vulnerable to extraction of password hashes through export querying

Impact

Patches

Workarounds

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI