Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01bWhnLXd2OHctcDU5as4AA5sN
Directus version number disclosure
Impact
Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.
Patches
The problem has been resolved in versions 10.8.3 and newer
Workarounds
None
Permalink: https://github.com/advisories/GHSA-5mhg-wv8w-p59jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bWhnLXd2OHctcDU5as4AA5sN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-5mhg-wv8w-p59j, CVE-2024-27296
References:
- https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
- https://nvd.nist.gov/vuln/detail/CVE-2024-27296
- https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
- https://github.com/advisories/GHSA-5mhg-wv8w-p59j
Blast Radius: 10.9
Affected Packages
npm:directus
Dependent packages: 16Dependent repositories: 115
Downloads: 63,444 last month
Affected Version Ranges: <= 10.8.2
Fixed in: 10.8.3
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2
All unaffected versions: 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7