SB2024051364 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficient Session Expiration (CVE-ID: CVE-2024-34709)

The vulnerability allows a remote user to reuse a leaked session token to access a session after logout.

The vulnerability exists due to insufficient session expiration in session token validation when processing authenticated requests with a previously captured session cookie. A remote user can replay a captured session token to reuse a session after logout.

User interaction is required, and exploitation depends on obtaining the session cookie value before logout or refresh.

2) Information disclosure (CVE-ID: CVE-2024-34708)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the API alias functionality when handling alias parameters for redacted hashed fields. A remote privileged user can send a crafted request using the alias parameter to disclose sensitive information.

The issue allows retrieval of the raw stored value of fields that would normally be returned in redacted form.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
• https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx