CVE-2024-39701 - Vulnerability Details - OpenCVE

ReportizFlow

Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Directus	Directus
Monospace	Directus

Configuration 1 [-]

cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm

History

Thu, 04 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Monospace Monospace directus
CPEs		cpe:2.3:a:monospace:directus::::::::
Vendors & Products		Monospace Monospace directus

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-08T16:43:01.595Z

Updated: 2024-08-02T04:26:16.090Z

Reserved: 2024-06-27T18:44:13.039Z

Link: CVE-2024-39701

Vulnrichment

Updated: 2024-08-02T04:26:16.090Z

NVD

Status : Analyzed

Published: 2024-07-08T17:15:11.773

Modified: 2025-09-04T14:43:40.310

Link: CVE-2024-39701

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39701", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.039Z", "datePublished": "2024-07-08T16:43:01.595Z", "dateUpdated": "2024-08-02T04:26:16.090Z"}, "containers": {"cna": {"title": "Directus Incorrectly handles _in` filter", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": ">= 9.23.0, < 10.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:43:01.595Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {\"role\": {\"_in\": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0."}], "source": {"advisory": "GHSA-hxgm-ghmv-xjjm", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "monospace", "product": "directus", "cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.23.0", "status": "affected", "lessThan": "10.6.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T19:39:42.719726Z", "id": "CVE-2024-39701", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T16:38:47.405Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.090Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "name": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.090Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39701", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T19:39:42.719726Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "vendor": "monospace", "product": "directus", "versions": [{"status": "affected", "version": "9.23.0", "lessThan": "10.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:42:26.480Z"}}], "cna": {"title": "Directus Incorrectly handles _in` filter", "source": {"advisory": "GHSA-hxgm-ghmv-xjjm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": ">= 9.23.0, < 10.6.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "name": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {\"role\": {\"_in\": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:43:01.595Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39701", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:26:16.090Z", "dateReserved": "2024-06-27T18:44:13.039Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T16:43:01.595Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6AFE1C8-B932-442B-A1D9-CC160878F0ED", "versionEndExcluding": "10.6.0", "versionStartIncluding": "9.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {\"role\": {\"_in\": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0."}, {"lang": "es", "value": "Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Directus >=9.23.0, <=v10.5.3 maneja incorrectamente los operadores _in, _nin. Eval\u00faa matrices vac\u00edas como v\u00e1lidas, por lo que expresiones como {\"role\": {\"_in\": $CURRENT_USER.some_field}} se evaluar\u00edan como verdaderas, lo que permitir\u00eda que se aprobara la solicitud. Esto da como resultado un control de acceso roto porque la regla no logra hacer lo que estaba previsto: aprobar la regla si el **field** coincide con alguno de los **values**. Esta vulnerabilidad se solucion\u00f3 en 10.6.0."}], "id": "CVE-2024-39701", "lastModified": "2025-09-04T14:43:40.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-08T17:15:11.773", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/directus/directus/security/advisories/GHSA-hxgm-ghmv-xjjm"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "[email protected]", "type": "Secondary"}]}