CVE-2024-54151

Name of the Vulnerable Software and Affected Versions: Directus versions 11.0.0 through 11.2.x

Description: Directus is a real-time API and App dashboard for managing SQL database content. When setting WEBSOCKETS GRAPHQL AUTH or WEBSOCKETS REST AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either WEBSOCKETS GRAPHQL AUTH or WEBSOCKETS REST AUTH set to public, allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user-defined collections ignoring permissions.

Recommendations: For versions 11.0.0 through 11.2.x, update to version 11.3.0 to resolve the issue. As a temporary workaround, consider setting WEBSOCKETS GRAPHQL AUTH and WEBSOCKETS REST AUTH to a value other than "public" to restrict unauthenticated access. Restrict access to the WebSocket API endpoints to minimize the risk of exploitation. Avoid using the WEBSOCKETS GRAPHQL AUTH and WEBSOCKETS REST AUTH settings with the value "public" until the issue is resolved.