Lucene search

GitHub Advisory DatabaseGHSA-5MHG-WV8W-P59J

HistoryMar 01, 2024 - 8:11 p.m.

Directus version number disclosure

2024-03-0120:11:05

CWE-200

GitHub Advisory Database

github.com

directus

version disclosure

js bundles

authentication

vulnerabilities

patches

workarounds

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

Patches

The problem has been resolved in versions 10.8.3 and newer

Workarounds

None

Affected configurations

Vulners

Node

rangerstudiodirectusRange≤10.8.2

CPENameOperatorVersion
directusle10.8.2

CPE	Name	Operator	Version
	directus	le	10.8.2

References

github.com/advisories/GHSA-5mhg-wv8w-p59j

github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0

github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j

nvd.nist.gov/vuln/detail/CVE-2024-27296

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-5MHG-WV8W-P59J