CVE-2024-47822

Description

### Summary Access token from query string is not redacted and is potentially exposed in system logs which may be persisted. ### Details The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. ### PoC 1. Set `LOG_LEVEL="raw"` in the environment. 2. Send a request with the `access_token` in the query string. 3. Notice that the `access_token` in `req.query` is not redacted. ### Impact It impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.

Affected packages (1)

• npm/@directus/apifrom 0, < 21.0.0

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-47822
• PATCHhttps://github.com/directus/directus
• WEBhttps://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768
• WEBhttps://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp