CVE-2023-28443

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 07:55

Type Values Removed Values Added
References () https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 - Vendor Advisory () https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 - Vendor Advisory
References () https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc - Patch () https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc - Patch
References () https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 - Exploit, Vendor Advisory () https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : 5.5
v2 : unknown
v3 : 4.2

29 Mar 2023, 14:29

Type Values Removed Values Added
CPE cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
References (MISC) https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc - (MISC) https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc - Patch
References (MISC) https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 - (MISC) https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 - Vendor Advisory
References (MISC) https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 - (MISC) https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 - Exploit, Vendor Advisory

24 Mar 2023, 01:57

Type Values Removed Values Added
New CVE

Information

Published : 2023-03-24 00:15

Updated : 2024-11-21 07:55


NVD link : CVE-2023-28443

Mitre link : CVE-2023-28443

CVE.ORG link : CVE-2023-28443


JSON object : View

Products Affected

monospace

  • directus
CWE
CWE-284

Improper Access Control

CWE-532

Insertion of Sensitive Information into Log File