CVE-2023-27481

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.16.0

Description The issue allows users with read access to the password field in directus users to extract argon2 password hashes by brute forcing the export functionality combined with a starts with filter. This enables the enumeration of password hashes. However, taking over accounts is unlikely with current hardware unless the hashes can be reversed.

Recommendations For versions prior to 9.16.0, upgrade to version 9.16.0 or later to patch the issue. As a temporary workaround for users unable to upgrade, ensure that no user has read access to the password field in directus users.