Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-07-08T16:43:01.595Z
Updated: 2024-08-02T04:26:16.090Z
Reserved: 2024-06-27T18:44:13.039Z
Link: CVE-2024-39701
Vulnrichment
Updated: 2024-08-02T04:26:16.090Z
NVD
Status : Awaiting Analysis
Published: 2024-07-08T17:15:11.773
Modified: 2024-07-09T18:19:14.047
Link: CVE-2024-39701
Redhat
No data.