CVE-2022-36031

MEDIUM

Directus - DoS

Title source: llm

Description

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.

References (1)

[Exploit, Mitigation, Third Party Advisory] https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-755

Status published

Affected Products (2)

monospace/directus < 9.15.0

npm/directus < 9.15.0npm

Timeline

Published Aug 19, 2022

Tracked Since Feb 18, 2026