CVE-2024-39896: Directus Allows Single Sign-On User Enumeration

July 8, 2024

When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a “helpful” error that the user belongs to another provider.

References

github.com/advisories/GHSA-jgf4-vwc3-r46v
github.com/directus/directus
github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2
github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v
nvd.nist.gov/vuln/detail/CVE-2024-39896

Code Behaviors & Features

Detect and mitigate CVE-2024-39896 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →