Vulnerability Details CVE-2024-39701
Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.8%
CVSS Severity
CVSS v3 Score 6.3
References
Products affected by CVE-2024-39701
-
cpe:2.3:a:monospace:directus:10.3.0
-
cpe:2.3:a:monospace:directus:10.4.0
-
cpe:2.3:a:monospace:directus:10.4.2
-
cpe:2.3:a:monospace:directus:10.4.3
-
cpe:2.3:a:monospace:directus:10.5.0
-
cpe:2.3:a:monospace:directus:10.5.1
-
cpe:2.3:a:monospace:directus:10.5.2
-
cpe:2.3:a:monospace:directus:10.5.3
-
cpe:2.3:a:monospace:directus:9.23.0
-
cpe:2.3:a:monospace:directus:9.23.1
-
cpe:2.3:a:monospace:directus:9.23.2
-
cpe:2.3:a:monospace:directus:9.23.3
-
cpe:2.3:a:monospace:directus:9.23.4