5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34709

GHSA ID

GHSA-g65h-35f3-x2w3

EPSS Score

0.38516%

CWE

CWE-613

Published

5/13/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34709

CVE-2024-34709: Directus Lacks Session Tokens Invalidation

Summary

Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. When authenticating a session token JWT, Directus should also check whether the associated directus_session both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.

Steps to reproduce

Copy the current session token from the cookie
Refresh and or log out
Use the saved session token to check if it is still valid

Impact

The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34709

GHSA ID

GHSA-g65h-35f3-x2w3

EPSS Score

0.38516%

CWE

CWE-613

Published

5/13/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	>= 10.10.0, < 10.11.0	10.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing session validation during token verification. The commit adds a new 'verifySessionJWT' check within getAccountabilityForToken, indicating this function was previously incomplete. Before the patch, it only validated JWT cryptographically but didn't verify session state in the database, making it the vulnerable entry point for unrevoked session tokens.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *urr*ntly s*ssion tok*ns *un*tion lik* t** ot**r JWT tok*ns w**r* t**y *r* not **tu*lly inv*li**t** w**n lo**in* out. T** `*ir**tus_s*ssion` **ts **stroy** *n* t** *ooki* **ts **l*t** *ut i* you **ptur** t** *ooki* v*lu* it will still wor

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion v*li**tion *urin* tok*n v*ri*i**tion. T** *ommit ***s * n*w 'v*ri*yS*ssionJWT' ****k wit*in `**t***ount**ility*orTok*n`, in*i**tin* t*is `*un*tion` w*s pr*viously in*ompl*t*. ***or* t** p*t**, it only v*li

5.4

Basic Information

Concerned about an active attack path?

CVE-2024-34709: Directus Lacks Session Tokens Invalidation

Summary

Steps to reproduce

Impact

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI