Directus
CVE-2024-36128
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 npm packages depend on directus (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 10.11.2.
DescriptionNVD
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. This vulnerability is fixed in 10.11.2.
AnalysisAI
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-754. Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. This vulnerability is fixed in 10.11.2. Affected products include: Monospace Directus. Version information: Prior to 10.11.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today