CVE-2024-27296

2024-03-0116:15:46

CWE-200

[email protected]

web.nvd.nist.gov

directus

real-time

api

app dashboard

sql

database

content

vulnerability

cve-2024-27296

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer.

Affected configurations

Vulners

Node

directusdirectusRange<10.8.3

CNA Affected

[
  {
    "vendor": "directus",
    "product": "directus",
    "versions": [
      {
        "version": "< 10.8.3",
        "status": "affected"
      }
    ]
  }
]