CVE-2023-28443

Summary

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

Affected Software

VendorProductVersion RangeStatus
directusdirectus< 9.23.3affected

Weaknesses

  • CWE-532: CWE-532: Insertion of Sensitive Information into Log File
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References