CVE - CVE-2024-34709

CVE-ID
CVE-2024-34709	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf URL:https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf MISC:https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3 URL:https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240507	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240507)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)