Main Vulnerability Database Vulnerabilities #VU127108

Inclusion of Sensitive Information in Log Files in Directus - CVE-2024-47822

Published: October 8, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127108

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-47822

CWE-ID: CWE-532

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a local privileged user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in request query logging when handling requests with an access token in the query string while raw logging is enabled. A local privileged user can send a request containing an access token in the query string to disclose sensitive information.

Only instances with LOG_STYLE set to raw are vulnerable. User interaction is required.

How to mitigate CVE-2024-47822

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp

Inclusion of Sensitive Information in Log Files in Directus - CVE-2024-47822

Detailed vulnerability description

How to mitigate CVE-2024-47822

Sources

Please verify you're human