CVE-2023-28443

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.23.3

Description The issue concerns the improper redaction of the directus refresh token from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with accountability and non-repudiation, as actions taken in the application can no longer be confidently attributed to the logged-in user. Examples of potential misuse include a disgruntled employee deleting data or a mischievous engineer uploading questionable content under the guise of an unsuspecting boss.

Recommendations For versions prior to 9.23.3, update to version 9.23.3 to resolve the issue. As a temporary workaround, consider restricting access to log outputs to minimize the risk of exploitation. Avoid using the directus refresh token in the affected API endpoint /auth/refresh until the issue is resolved.