fix(deps): update dependency directus to v10.11.2 [security] #81
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.10.7
->10.11.2
GitHub Vulnerability Alerts
CVE-2024-34708
Summary
A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the
alias
functionality on the API.Normally, these redacted fields will return
**********
however if we change the request to?alias[workaround]=redacted
we can instead retrieve the plain text value for the field.Steps to reproduce
The easiest way to confirm this vulnerability is by first visiting
/users/me
. You should be presented with a redacted JSON-object.Next, visit
/users/me?alias[hash]=password
. This time, the returned JSON object will included the raw password hash instead of the redacted value.Workaround
This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them.
CVE-2024-34709
Summary
Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The
directus_session
gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.When authenticating a session token JWT, Directus should also check whether the associated
directus_session
both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.Steps to reproduce
Impact
The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.
CVE-2024-36128
Describe the Bug
Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID.
To Reproduce
GET http://localhost:8055/utils/random/string
GET http://localhost:8055/utils/random/string?length=foo
GET http://localhost:8055/utils/random/string
will return an empty string instead of a random stringImpact
This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.
Release Notes
directus/directus (directus)
v10.11.2
Compare Source
✨ New Features & Improvements
🐛 Bug Fixes & Optimizations
/random/string
with an invalid length param could prevent creation of valid sessions until next restart (#22573 by @Zehir)📦 Published Versions
@directus/[email protected]
@directus/[email protected]
[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/storage-driver-s3@​10.0.22
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
v10.11.1
Compare Source
🐛 Bug Fixes & Optimizations
SESSION_TOKEN_TTL
for session mode (#22501 by @br41nslug)_between
and_nbetween
filters using a function, such ascount()
andyear()
(#22410 by @hanneskuettner)📦 Published Versions
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
v10.11.0
Compare Source
Fixed API queries with the
search
parameter to return no results if the query is not applicable to any fields (#22342)Previously, the API returned all items for collections where the
search
parameter was not applicable to any fields. Now the API returns no items in such a case.string
instead ofURL
(#22105 by @paescuj)✨ New Features & Improvements
isDirectusError
guard to return specific error type when code for built-in error is provided (#22346 by @paescuj)🐛 Bug Fixes & Optimizations
search
parameter to return no results if the query is not applicable to any fields (#22342 by @licitdev)list
method to recursively list all files under a prefix (#22322 by @hanneskuettner)📦 Published Versions
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
[email protected]
[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/storage-driver-s3@​10.0.21
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
@directus/[email protected]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.