Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-47822

Good to know:

icon

Date: October 8, 2024

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in "req.query" is not redacted when the "LOG_STYLE" is set to "raw". If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the "LOG_STYLE" is set to "raw". The "access_token" in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string. This vulnerability has been patched in release version 10.13.2 and subsequent releases as well. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

https://github.com/directus/directus
https://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768
https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp
https://nvd.nist.gov/vuln/detail/CVE-2024-47822
https://www.mend.io/vulnerability-database/CVE-2024-47822

Severity Score

Weakness Type (CWE)

Insertion of Sensitive Information into Log File

CWE-532

Top Fix

icon

Upgrade Version

Upgrade to version @directus/api - 21.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us