cbcvebase.
CVE-2022-36031
published 2022-08-19

CVE-2022-36031: Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the…

PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.84%
53.2th percentile
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.

Affected

3 ranges
VendorProductVersion rangeFixed in
directusdirectus< 9.15.09.15.0
directusdirectus>= 0 < 9.15.09.15.0
monospacedirectus< 9.15.09.15.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.