Lucene search

K
cve[email protected]CVE-2023-28443
HistoryMar 24, 2023 - 12:15 a.m.

CVE-2023-28443

2023-03-2400:15:15
CWE-284
CWE-532
web.nvd.nist.gov
59
directus
api
app dashboard
unauthorized access
user impersonation
security vulnerability

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

Affected configurations

Vulners
NVD
Node
directusdirectusRange<9.23.3

CNA Affected

[
  {
    "vendor": "directus",
    "product": "directus",
    "versions": [
      {
        "version": "< 9.23.3",
        "status": "affected"
      }
    ]
  }
]

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Related for CVE-2023-28443