CVE-2022-36031

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

Published: Aug 19, 2022
Updated: May 9, 2024
CVE: CVE-2022-36031
GHSA: GHSA-77qm-wvqq-fg79
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-755

Affected Software
References

Software	From	Fixed in
monospace / directus	-	9.15.0
directus	-	9.15.0

https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79

Vulnerability Database

CVE-2022-36031