CVE-2024-39699

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.9.3

Description Directus is a real-time API and App dashboard for managing SQL database content. A previously reported SSRF vulnerability via file import was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However, it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing files from a URL and does not check the result URL, making it possible to execute a request to an internal IP, for example, to 127.0.0.1. This is a blind SSRF because Directus uses response interception techniques to get information about the connection from the socket directly and does not show a response if the IP address is internal. The blindness does not fully mitigate the impact of the vulnerability, as the blind SSRF can still be exploited in real-life scenarios, particularly if there is vulnerable software inside the network that can be exploited with a GET request.

Recommendations For versions prior to 10.9.3, update to version 10.9.3 or later to fix the vulnerability. As a temporary workaround, consider disallowing redirects for import requests or checking the Location header in the import request response and dropping the request if the Location URL points to an internal IP. Restrict access to the import functionality to minimize the risk of exploitation. Avoid using the import feature with untrusted URLs until the issue is resolved.