High severityNVD Advisory· Published Mar 1, 2024· Updated Aug 28, 2024
Directus MySQL accent insensitive email matching
CVE-2024-27295
Description
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 10.8.3 | 10.8.3 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qw9g-7549-7wg5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27295ghsaADVISORY
- dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.htmlghsaWEB
- github.com/directus/directus/commit/a8ef790ea2d28b1727f9027d99bd360920d57919ghsaWEB
- github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5ghsax_refsource_CONFIRMWEB
- www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collationghsaWEB
News mentions
0No linked articles in our index yet.