Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OGc4LWMyNzUteGYybc4AA_rG
Directus vulnerable to SSRF Loopback IP filter bypass
Impact
If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices (like 127.0.0.2 - 127.127.127.127)
Workaround
You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OGc4LWMyNzUteGYybc4AA_rG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.1735
Identifiers: GHSA-68g8-c275-xf2m, CVE-2024-46990
References:
- https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
- https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
- https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
- https://nvd.nist.gov/vuln/detail/CVE-2024-46990
- https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
- https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
- https://github.com/advisories/GHSA-68g8-c275-xf2m
Blast Radius: 10.3
Affected Packages
npm:@directus/api
Dependent packages: 9Dependent repositories: 95
Downloads: 46,542 last month
Affected Version Ranges: >= 22.0.0, < 22.1.1, < 21.0.0
Fixed in: 22.1.1, 21.0.0
All affected versions: 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.0.1, 11.1.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 13.0.0, 13.1.0, 13.1.1, 13.2.0, 14.0.0, 14.0.1, 14.0.2, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 16.0.0, 17.0.0, 17.0.1, 17.1.0, 18.0.0, 18.1.0, 18.1.1, 18.2.0, 18.2.1, 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.2.0, 19.3.0, 19.3.1, 20.0.0, 20.1.0, 22.0.0, 22.1.0
All unaffected versions: 21.0.0, 21.0.1, 21.0.2, 22.1.1, 22.2.0, 23.0.0, 23.1.0, 23.1.1, 23.1.2, 23.1.3, 23.2.0, 23.2.1, 23.2.2, 23.3.0, 23.3.1, 23.3.2
npm:directus
Dependent packages: 16Dependent repositories: 115
Downloads: 42,702 last month
Affected Version Ranges: >= 11.0.0, < 11.1.0, < 10.13.3
Fixed in: 11.1.0, 10.13.3
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7, 10.11.0, 10.11.1, 10.11.2, 10.12.0, 10.12.1, 10.13.0, 10.13.1, 10.13.2, 11.0.0, 11.0.1, 11.0.2
All unaffected versions: 10.13.4, 11.1.0, 11.1.1, 11.1.2, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5