CVE-2022-36031

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.15.0

Description The Directus process can be aborted by having an authorized user update the filename disk value to a folder and accessing that file through the "/assets" endpoint. This issue has been patched and release v9.15.0 contains the fix. Users are advised to upgrade to prevent the problem.

Recommendations For versions prior to 9.15.0, upgrade to version 9.15.0 or later to resolve the issue. As a temporary workaround for users unable to upgrade, prevent the problem by making sure no (untrusted) non-admin users have permissions to update the filename disk field on directus files.