Fishuke

Name of the Vulnerable Software and Affected Versions: Directus versions 11.0.0 through 11.2.x Description: Directus is a real-time API and App dashboard for managing SQL database content. When setting `WEBSOCKETS GRAPHQL AUTH` or `WEBSOCKETS REST AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either `WEBSOCKETS GRAPHQL AUTH` or `WEBSOCKETS REST AUTH` set to `public`, allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user-defined collections ignoring permissions. Recommendations: For versions 11.0.0 through 11.2.x, update to version 11.3.0 to resolve the issue. As a temporary workaround, consider setting `WEBSOCKETS GRAPHQL AUTH` and `WEBSOCKETS REST AUTH` to a value other than "public" to restrict unauthenticated access. Restrict access to the WebSocket API endpoints to minimize the risk of exploitation. Avoid using the `WEBSOCKETS GRAPHQL AUTH` and `WEBSOCKETS REST AUTH` settings with the value "public" until the issue is resolved.