CVE-2024-34709
Directus Lacks Session Tokens Invalidation
Description
### Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. When authenticating a session token JWT, Directus should also check whether the associated `directus_session` both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely. ## Steps to reproduce - Copy the current session token from the cookie - Refresh and or log out - Use the saved session token to check if it is still valid ### Impact The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.
How to fix CVE-2024-34709
To remediate CVE-2024-34709, upgrade the affected package to a fixed version below.
- —upgrade to 10.11.0 or later
Is CVE-2024-34709 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 10.10.0, < 10.11.0