CVE-2024-34709: Directus Lacks Session Tokens Invalidation
Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session
gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.
When authenticating a session token JWT, Directus should also check whether the associated directus_session
both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.
References
Detect and mitigate CVE-2024-34709 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →