CVE-2023-26492

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.23.0

Description Directus is a real-time API and App dashboard for managing SQL database content. It is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server via a POST request to the /files/import API endpoint. An attacker can bypass security controls by performing a DNS rebinding attack, allowing them to view sensitive data from internal servers or perform a local port scan. This can be exploited to access highly sensitive internal servers and steal sensitive information.

Recommendations For versions prior to 9.23.0, update to version 9.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /files/import API endpoint until the update is applied. Additionally, restricting the ability to import files from remote web servers can help minimize the risk of exploitation.