CVE-2024-47822Log File Information Exposure in Directus

CWE-532Log File Information Exposure3 documents3 sources
Severity
4.2MEDIUMNVD
EPSS
0.1%
top 75.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DirectusMonospace DirectusDirectus API
Timeline
PublishedOct 8
Latest updateApr 14

Description

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the `

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.6 | Impact: 3.6

Affected Packages3 packages

npmdirectus/api< 21.0.0
CVEListV5directus/directus< 10.13.2
NVDmonospace/directus< 10.13.2

🔴Vulnerability Details

2
OSV
Directus inserts access token from query string into logs2025-04-14
GHSA
Directus inserts access token from query string into logs2025-04-14