SB20240708104 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Protection Mechanism Failure (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary code outside the sandbox.

The vulnerability exists due to improper sandbox enforcement in the vm2 sandbox used by the "Run Script" operation in flows when processing promise handlers. A remote privileged user can bypass promise handler sanitization to execute arbitrary code outside the sandbox.

User interaction is required.

2) Improper access control (CVE-ID: CVE-2024-39701)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the _in and _nin filter operators when evaluating filter rules that reference empty or null-derived arrays. A remote user can supply input that causes the validation rule to evaluate to true to disclose sensitive information.

Exploitation requires access to functionality that relies on these filter-based validation rules.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8
• https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm
• https://github.com/advisories/GHSA-hxgm-ghmv-xjjm