Moderate severityNVD Advisory· Published Mar 23, 2023· Updated Feb 21, 2025
directus vulnerable to Insertion of Sensitive Information into Log File
CVE-2023-28443
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 9.23.3 | 9.23.3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8vg2-wf3q-mwv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28443ghsaADVISORY
- github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.tsghsax_refsource_MISCWEB
- github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afcghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.