CVE-2023-38503: 
JavaScript vulnerability analysis and mitigation

CVE-2023-38503 affects Directus, a real-time API and App dashboard for managing SQL database content. The vulnerability was discovered in versions 10.3.0 through 10.5.0, where permission filters (such as user_created IS $CURRENT_USER) were not properly checked when using GraphQL subscriptions. This security issue was disclosed on July 25, 2023, and has been patched in version 10.5.0 (Vendor Advisory).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 6.5 MEDIUM (NIST) and 5.7 MEDIUM (GitHub). The issue occurs when using GraphQL subscriptions, where unauthorized users could receive events they shouldn't have access to based on their permission filters. This particularly affects collections with permission filters using $CURRENTUSER, including the built-in directususers collection (Vendor Advisory, NVD).

The vulnerability allows unauthorized users to receive updates and access data they shouldn't have permission to view. For example, users could get updates for other users' changes in the directus_users collection, bypassing intended permission restrictions (Vendor Advisory).

The vulnerability has been patched in Directus version 10.5.0. For users unable to update immediately, the recommended workaround is to disable GraphQL subscriptions entirely (Vendor Advisory, GitHub PR).