CVE-2024-39701

Name of the Vulnerable Software and Affected Versions Directus versions 9.23.0 through 10.5.3

Description The issue arises from the improper handling of in and nin operators in Directus, where empty arrays are evaluated as valid. This leads to Broken Access Control, as rules intended to pass only when a field matches any of the given values fail to function correctly. For instance, an expression like {"role": {" in": $CURRENT USER.some field}} would evaluate to true, allowing the request to pass even when it should not. This can result in users gaining access to unauthorized resources.

Recommendations For Directus versions 9.23.0 through 10.5.3, update to version 10.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the in and nin operators in filter rules until the update can be applied. Additionally, review and adjust validation rules to ensure they are not relying on the faulty behavior of these operators.