Directus Open Redirect Vulnerability in SAML Authentication Callback
Vulnerability
An open redirect vulnerability has been identified in Directus versions prior to 11.14.0, specifically within the SAML authentication callback endpoint. This vulnerability arises because the 'RelayState' parameter, which is meant to retain the user's original destination, is used in redirects without adequate validation against an allowlist of permitted domains. While the login initiation process correctly validates redirect targets, this safeguard is absent in the callback endpoint. Consequently, an attacker can manipulate an authentication request to redirect users to any external URL after authentication, exploiting both success and error handling paths. This issue can be exploited without authentication.
Impact
Exploitation of this vulnerability allows for open redirection, which can be used for phishing attacks by redirecting users to malicious sites that mimic legitimate login pages. Additionally, such redirects could be leveraged to capture OAuth tokens or authorization codes, facilitating credential theft. This vulnerability may also erode user trust in the application's security.
Remediation
Users can upgrade to Directus version 11.14.0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.