CVE-2024-36128

Description

### Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. ### To Reproduce 1. Test if the endpoint is working and accessible, `GET http://localhost:8055/utils/random/string` 2. Do a bad request `GET http://localhost:8055/utils/random/string?length=foo` 3. After this all calls to `GET http://localhost:8055/utils/random/string` will return an empty string instead of a random string 4. In this error situation you'll see authentication refreshes fail for the app and api. ### Impact This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.

How to fix CVE-2024-36128

To remediate CVE-2024-36128, upgrade the affected package to a fixed version below.

• —upgrade to 10.11.2 or later

Is CVE-2024-36128 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 10.11.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-36128
• PATCHgithub.com/directus/directus
• WEBgithub.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3b
• WEBgithub.com/directus/directus/security/advisories/GHSA-632p-p495-25m5