Lucene search

Veracode Vulnerability DatabaseVERACODE:45765

HistoryMar 05, 2024 - 9:36 a.m.

Sensitive Information Disclosure

2024-03-0509:36:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

sensitive information disclosure

directus

vulnerability

insecure handling

version information

js bundles

authentication

malicious attacker

known vulnerabilities

dependencies

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Directus is vulnerable to an Sensitive Information Disclosure. The vulnerability is due to insecure handling of version information, as the exact version number is included in compiled JS bundles that are accessible without authentication. This exposes potential information that a malicious attacker can exploit to identify and target known vulnerabilities in Directus core or its dependencies specific to that running version.

CPENameOperatorVersion
directusle10.8.2
directusle10.8.2

CPE	Name	Operator	Version
	directus	le	10.8.2
	directus	le	10.8.2

References

github.com/advisories/GHSA-5mhg-wv8w-p59j

github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0

github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:45765