Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.

INFO

Published Date :

2024-05-13T19:39:32.313Z

Last Modified :

2024-08-02T02:59:22.093Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-34709 vulnerability.

Vendors Products
Monospace
  • Directus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-34709.

URL Resource
https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf cve-icon cve-icon cve-icon
https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact