Impact
What kind of vulnerability is it? Who is impacted?
The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.
Patches
Has the problem been patched? What versions should users upgrade to?
The vulnerability is patched and released in v9.15.0.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was first discovered and reported by Witold Gorecki.
Impact
What kind of vulnerability is it? Who is impacted?
The Directus process can be aborted by having an authorized user update the
filename_diskvalue to a folder and accessing that file through the/assetsendpoint.Patches
Has the problem been patched? What versions should users upgrade to?
The vulnerability is patched and released in v9.15.0.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the
filename_diskfield ondirectus_files.For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was first discovered and reported by Witold Gorecki.