Directus Timing-Based User Enumeration Vulnerability in Password Reset Functionality
Vulnerability
A timing-based user enumeration vulnerability has been identified in Directus versions prior to 11.14.1. The issue arises in the password reset feature, where the response time varies by approximately 500 milliseconds between existing and non-existing users when an invalid reset_url parameter is used. This discrepancy allows for reliable user enumeration. The vulnerability exists because the password reset endpoint's URL validation occurs before a timing protection mechanism is applied, enabling attackers to distinguish between valid and invalid user accounts based on response times.
Impact
Exploitation of this vulnerability could lead to unauthorized user account verification, potentially facilitating targeted phishing attacks.
Remediation
Users can upgrade to Directus version 11.14.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.