Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36031: Unhandled exception on illegal filename_disk value

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

CVE
Open in Source
#vulnerability#auth

Impact

What kind of vulnerability is it? Who is impacted?

The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.

Patches

Has the problem been patched? What versions should users upgrade to?

The vulnerability is patched and released in v9.15.0.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

For more information

If you have any questions or comments about this advisory:

Credits

This vulnerability was first discovered and reported by Witold Gorecki.

Related news

GHSA-77qm-wvqq-fg79: Directus vulnerable to unhandled exception on illegal filename_disk value

The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. The vulnerability is patched and released in v9.15.0. You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. ### For more information If you have any questions or comments about this advisory: * Open a Discussion in [directus/directus](https://github.com/directus/directus/discussions) * Email us at [[email protected]](mailto:[email protected]) ### Credits This vulnerability was first discovered and reported by Witold Gorecki.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE