Directus API and App Dashboard Vulnerability - Access Tokens Not Redacted in System Logs
CVE-2024-47822

4.2MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 8 October 2024

What is CVE-2024-47822?

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOG_STYLE is set to raw. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the LOG_STYLE is set to raw. The access_token in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string. This vulnerability has been patched in release version 10.13.2 and subsequent releases as well. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

directus < 10.13.2

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/commit/2e893f9c576d5...

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Oct 3, 2024