Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNjVoLTM1ZjMteDJ3M84AA74v
Directus Lacks Session Tokens Invalidation
Summary
Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.
When authenticating a session token JWT, Directus should also check whether the associated directus_session both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.
Steps to reproduce
- Copy the current session token from the cookie
- Refresh and or log out
- Use the saved session token to check if it is still valid
Impact
The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.
Permalink: https://github.com/advisories/GHSA-g65h-35f3-x2w3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNjVoLTM1ZjMteDJ3M84AA74v
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Identifiers: GHSA-g65h-35f3-x2w3, CVE-2024-34709
References:
- https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3
- https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf
- https://nvd.nist.gov/vuln/detail/CVE-2024-34709
- https://github.com/advisories/GHSA-g65h-35f3-x2w3
Blast Radius: 11.1
Affected Packages
npm:directus
Dependent packages: 16Dependent repositories: 115
Downloads: 49,789 last month
Affected Version Ranges: >= 10.10.0, < 10.11.0
Fixed in: 10.11.0
All affected versions: 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.11.0, 10.11.1, 10.11.2, 10.12.0, 10.12.1, 10.13.0, 10.13.1, 10.13.2, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1