Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-34708
Summary
The package Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can access the raw stored version using the 'alias' functionality on the API. Normally, these redacted fields will return '**********' however if we change the request to '?alias[workaround]=redacted' we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This issue affects directus versions through 10.10.7 and @directus/api versions from 9.25.0 through 19.0.2.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- HIGH
- HIGH
- NONE
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
References
Advisory Timeline
- Published
