References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b

https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however  if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entire

GitHub, Inc. AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

GitHub, Inc. CWE-200

GitHub, Inc. https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b [No types assigned]

GitHub, Inc. https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx [No types assigned]