CVE-2024-36128

Published: Jun 3, 2024Modified: Jan 3, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. This vulnerability is fixed in 10.11.2.

Affected (1)

Products: Monospace: Directus

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Monospace Directus	Before 10.11.2

Related CWEs

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

References (4)

https://github.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3b

Source: security-advisories@github.com

Patch

https://github.com/directus/directus/security/advisories/GHSA-632p-p495-25m5

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3b

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/directus/directus/security/advisories/GHSA-632p-p495-25m5

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.