CVE-2024-39701

2024-07-0817:15:11

CWE-284

GitHub_M

web.nvd.nist.gov

directus

api

dashboard

sql

database

management

vulnerability

broken access control

rule

values

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.2%

JSON

Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {“role”: {“_in”: $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if field matches any of thevalues. This vulnerability is fixed in 10.6.0.

Affected configurations

Vulners

Vulnrichment

Node

directusdirectusRange9.23.0–10.6.0

VendorProductVersionCPE
directusdirectus*cpe:2.3:a:directus:directus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
directus	directus	*	cpe:2.3:a:directus:directus::::::::

CNA Affected

[
  {
    "vendor": "directus",
    "product": "directus",
    "versions": [
      {
        "version": ">= 9.23.0, < 10.6.0",
        "status": "affected"
      }
    ]
  }
]