THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39701

Directus Incorrectly handles _in` filter

AssignerGitHub_M
Reserved2024-06-27
Published2024-07-08
Updated2024-07-10

Description

Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.



MEDIUM: 6.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

>= 9.23.0, < 10.6.0
affected

References

https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm

cve.org CVE-2024-39701

nvd.nist.gov CVE-2024-39701

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39701
© Copyright 2024 THREATINT. Made in Cyprus with +