Information Exposure Affecting directus package, versions >=10.3.0 <10.5.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.07% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-DIRECTUS-5805292
  • published26 Jul 2023
  • disclosed25 Jul 2023
  • creditmadc

Introduced: 25 Jul 2023

CVE-2023-38503  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade directus to version 10.5.0 or higher.

Overview

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure. The permission filters (i.e. user_created IS $CURRENT_USER) are not properly checked when using GraphQL subscription, resulting in unauthorized users getting events on their subscription, which they should not receive according to the permissions.

CVSS Base Scores

version 3.1