CVE-2022-36031
Directus vulnerable to unhandled exception on illegal filename_disk value
Description
The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. The vulnerability is patched and released in v9.15.0. You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. ### For more information If you have any questions or comments about this advisory: * Open a Discussion in [directus/directus](https://github.com/directus/directus/discussions) * Email us at [security@directus.io](mailto:security@directus.io) ### Credits This vulnerability was first discovered and reported by Witold Gorecki.
How to fix CVE-2022-36031
To remediate CVE-2022-36031, upgrade the affected package to a fixed version below.
- —upgrade to 9.15.0 or later
Is CVE-2022-36031 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.15.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |