CVE-2022-36031: Improper Handling of Exceptional Conditions

August 19, 2022 (updated August 24, 2022)

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

References

github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79
nvd.nist.gov/vuln/detail/CVE-2022-36031

Detect and mitigate CVE-2022-36031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →