5.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38503

CVE-2023-38503: Incorrect Permission Checking for GraphQL Subscriptions

Summary

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permissions rely on $CURRENT_USER for filtering.

Details

The permission filters (i.e. user_created IS $CURRENT_USER) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the directus_users collection is configured with such a permissions filter allowing you to get updates for other users when changes happen.

An example:

subscription {
  directus_users_mutated {
    event
    data {
      id
      last_access
      last_page
    }
  }
}

Patches

https://github.com/directus/directus/pull/19155

Workarounds

Disable GraphQL Subscriptions

References

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-38503

CVE-2023-38503:

5.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	>= 10.3, < 10.5.0	10.5.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from divergent data fetching logic between REST and GraphQL endpoints. The patch (#19155) explicitly states it 'uses the same data fetching logic for both REST and GraphQL subscriptions,' indicating the GraphQL subscription handlers previously lacked proper permission checks. The SubscriptionService.subscribe function would be directly responsible for real-time updates, while ItemsService.readByQuery is a core data fetching method that might have been context-agnostic in GraphQL mode. The high confidence for SubscriptionService comes from the patch's focus on subscription handling, while ItemsService gets medium confidence as the underlying mechanism that might have been improperly contextualized.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-38503: Incorrect Permission Checking for GraphQL Subscriptions

Summary

Details

Patches

Workarounds

References

CVE-2023-38503:

5.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.7

5.7

Technical Details

CVE-2023-38503: Incorrect Permission Checking for GraphQL Subscriptions

Summary

Details

Patches

Workarounds

References

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI