CVE-2024-27296
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
01/03/2024
Last modified:
03/01/2025
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* | 10.8.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
- https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
- https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
- https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j