CVE-2022-36031: 
JavaScript vulnerability analysis and mitigation

Directus, a free and open-source data platform for headless content management, was found to contain a vulnerability identified as CVE-2022-36031. The vulnerability was discovered and reported by Witold Gorecki, and was disclosed on August 19, 2022. This security issue affects Directus versions prior to 9.15.0 (GitHub Advisory).

The vulnerability allows an authorized user to abort the Directus process by manipulating the filename_disk value to a folder and accessing that file through the /assets endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Moderate), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, Availability: High (GitHub Advisory).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause the Directus process to abort, potentially leading to service disruption. The vulnerability does not affect data confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Directus version 9.15.0. For users unable to upgrade immediately, a workaround is available by ensuring that no non-admin users (especially untrusted users) have permissions to update the filename_disk field on directus_files (GitHub Advisory).