CVE-2024-27296 — Sensitive Information Exposure in Directus

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 36.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Directus Monospace Directus

Timeline

PublishedMar 1

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5directus/directus< 10.8.3

▶npmdirectus/directus< 10.8.3

▶NVDmonospace/directus< 10.8.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Directus version number disclosure↗2024-03-01

▶

OSV

Directus version number disclosure↗2024-03-01

▶