CVE-2024-34709Insufficient Session Expiration in Directus

CWE-613Insufficient Session Expiration3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 54.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Monospace DirectusDirectus
Timeline
Latest updateMay 13
PublishedMay 14

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was me

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:NExploitability: 1.2 | Impact: 4.2

Affected Packages3 packages

npmdirectus/directus10.10.010.11.0
NVDmonospace/directus< 10.11.0
CVEListV5directus/directus>= 10.10.0, < 10.11.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Directus Lacks Session Tokens Invalidation2024-05-13
GHSA
Directus Lacks Session Tokens Invalidation2024-05-13