CVE-2024-34709

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-34709

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34709.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-34709

Aliases

GHSA-g65h-35f3-x2w3

Published

2024-05-13T19:39:32.313Z

Modified

2026-04-02T11:59:46.451491Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Directus Lacks Session Tokens Invalidation

Details

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34709.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type: GIT
Repo: https://github.com/directus/directus
Events: Introduced

9d88df621fec13d88665b81c4335bd43b66abe4d

Fixed

0d6c6b90b0cd89558572e6413206a75236a30cb2

Affected versions

v10.*

v10.10.0

v10.10.1

v10.10.2

v10.10.3

v10.10.4

v10.10.5

v10.10.6

v10.10.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34709.json"