Lucene search

GitHub_MCVE-2022-36031

HistoryAug 19, 2022 - 9:15 p.m.

CVE-2022-36031

2022-08-1921:15:08

CWE-755

GitHub_M

web.nvd.nist.gov

directus

data platform

content management

cybersecurity

vulnerability

patch

unauthorized access

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

34.1%

JSON

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

Affected configurations

Nvd

Vulners

Node

monospacedirectusRange<9.15.0

VendorProductVersionCPE
monospacedirectus*cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
monospace	directus	*	cpe:2.3:a:monospace:directus::::::::

CNA Affected

[
  {
    "product": "directus",
    "vendor": "directus",
    "versions": [
      {
        "status": "affected",
        "version": "< 9.15.0"
      }
    ]
  }
]

References

github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79

Social References

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

34.1%

JSON

Related for CVE-2022-36031