-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| directus | npm | < 11.13.0 | 11.13.0 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in the incomplete deletion of field-related data, specifically permissions. When a field is deleted, the system should not only remove the field definition but also any access control rules associated with it. The provided patch addresses this issue by modifying the FieldsService to include a cleanup step for permissions.
The analysis of the commit 84d7636969083387164ce5d2fd15a65e11e2d0b8 reveals that the file api/src/services/fields.ts was modified. The changes are within the FieldsService class, inside a function that handles field deletion. Based on the code context and common naming conventions, this function is identified as deleteField. The patch adds a new block of code that queries the directus_permissions table for any permissions that apply to the field being deleted. It then removes the deleted field from the fields list in those permission rules.
The vulnerable function is therefore FieldsService.deleteField, as it was the function that lacked the necessary logic to fully clean up permissions, making the system vulnerable to the described issue. During exploitation, a call to delete a field would trigger this function, and its incomplete cleanup would set the stage for the vulnerability when a new field with the same name is created.
FieldsService.deleteFieldapi/src/services/fields.ts
Ongoing coverage of React2Shell