Moderate severityNVD Advisory· Published Aug 19, 2022· Updated Apr 22, 2025
Unhandled exception on illegal filename_disk value
CVE-2022-36031
Description
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 9.15.0 | 9.15.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-77qm-wvqq-fg79ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36031ghsaADVISORY
- github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.