CVE-2024-46990 — Improper Access Control in Directus

CWE-284 — Improper Access Control CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 53.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Directus Monospace Directus Directus API

Timeline

PublishedSep 18

Description

Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `1…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages4 packages

▶npmdirectus/api22.0.0 — 22.1.1+1

▶CVEListV5directus/directus< 10.13.3+1

▶npmdirectus/directus11.0.0 — 11.1.0+1

▶NVDmonospace/directus11.0.0 — 11.1.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Directus vulnerable to SSRF Loopback IP filter bypass↗2024-09-18

▶

GHSA

Directus vulnerable to SSRF Loopback IP filter bypass↗2024-09-18

▶