CVE-2022-36031 — Improper Handling of Exceptional Conditions in Directus

CWE-755 — Improper Handling of Exceptional Conditions3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 50.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Directus Monospace Directus

Timeline

PublishedAug 19

Latest updateAug 30

Description

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5directus/directus< 9.15.0

▶npmdirectus/directus< 9.15.0

▶NVDmonospace/directus< 9.15.0

🔴Vulnerability Details

GHSA

Directus vulnerable to unhandled exception on illegal filename_disk value↗2022-08-30

▶

OSV

Directus vulnerable to unhandled exception on illegal filename_disk value↗2022-08-30

▶