CVE-2024-34709 MEDIUM

CVE-2024-34709: Directus Lacks Session Tokens Invalidation

Vendor Directus
Product directus
Weakness CWE-613 · Insufficient session expiration
Published May 13, 2024
Last update August 2, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.

Key dates

02Disclosure timeline

May 13, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE