Описание
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.
Ссылки
- ExploitMitigationThird Party Advisory
- ExploitMitigationThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 9.15.0 (исключая)
cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*
EPSS
Процентиль: 48%
0.00246
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-755
Связанные уязвимости
CVSS3: 6.5
github
больше 3 лет назад
Directus vulnerable to unhandled exception on illegal filename_disk value
EPSS
Процентиль: 48%
0.00246
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-755