Main Vulnerability Database SB2023032858

SB2023032858 - Information disclosure in Directus

Published: March 28, 2023

Security Bulletin ID SB2023032858

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-28443)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files within the directus_refresh_token. A local administrator can read the log files and gain access to sensitive data.

Remediation

Install update from vendor's website.

References

https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc
https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13