"Directus Open-Source, Free & Unlimited. No Strings Attached. Our premium software is available at no cost for commercial and personal use. This self-hosted version is full-featured, with no artificial limitations."
The vendor provides an updated version for v8 which fixes the security issue. It should be installed immediately.
Note: Directus v8 has been deprecated/discontinued and is replaced by version 9, which currently does not have a final release version yet. Updating to Directus v9 fixes this vulnerability as well because the NodeJS architecture replaces the PHP API and hence is not affected.
According to the vendor, the identified security issue only applies to v8 installations relying on the specific Apache-based config in the Docker image, using the local-storage driver for uploads. The recommendation from the vendor is to use a connection to S3 for such installations, install the patch v8.8.2 or upgrade to version 9.
1) Arbitrary File Upload and Bypassing .htaccess Rules (CVE-2021-29641)
Any low privileged user with file upload permissions can upload webshells or other malicious PHP files which can be found in /uploads/_/originals/. If the server prevents the execution of PHP files in the upload directory the attacker can move the file into a subdirectory where he can upload a custom .htaccess file to enable PHP execution again. Server side command execution can be used to retrieve the Directus configuration and database credentials to escalate in-app privileges, retrieve password hashes or move laterally in the network.