GHSA-77qm-wvqq-fg79

Source

https://github.com/advisories/GHSA-77qm-wvqq-fg79

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-77qm-wvqq-fg79/GHSA-77qm-wvqq-fg79.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-77qm-wvqq-fg79

Aliases

CVE-2022-36031

Published

2022-08-30T20:18:48Z

Modified

2023-11-01T04:59:29.138096Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Directus vulnerable to unhandled exception on illegal filename_disk value

Details

The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.

The vulnerability is patched and released in v9.15.0.

You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

For more information

If you have any questions or comments about this advisory: * Open a Discussion in directus/directus * Email us at security@directus.io

Credits

This vulnerability was first discovered and reported by Witold Gorecki.

Database specific

{
    "cwe_ids": [
        "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:18:48Z",
    "severity": "MODERATE",
    "nvd_published_at": "2022-08-19T21:15:00Z"
}

References

Affected packages

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.15.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-77qm-wvqq-fg79/GHSA-77qm-wvqq-fg79.json"