CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
34.1%
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk
value to a folder and accessing that file through the /assets
endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk
field on directus_files
.
[
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "< 9.15.0"
}
]
}
]