Lucene search

GitHub_MVULNRICHMENT:CVE-2024-39701

HistoryJul 08, 2024 - 4:43 p.m.

CVE-2024-39701 Directus Incorrectly handles _in` filter

2024-07-0816:43:01

CWE-284

GitHub_M

github.com

directus

broken access control

sql database

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {“role”: {“_in”: $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if field matches any of thevalues. This vulnerability is fixed in 10.6.0.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"
    ],
    "vendor": "monospace",
    "product": "directus",
    "versions": [
      {
        "status": "affected",
        "version": "9.23.0",
        "lessThan": "10.6.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-39701