Directus
CVE-2024-46990
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 npm packages depend on @directus/api (1 direct, 1 indirect)
- 2 npm packages depend on directus (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 22.0.0 and other introduced versions.
DescriptionNVD
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices (like 127.0.0.2 - 127.127.127.127). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1.
AnalysisAI
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-284. Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices (like 127.0.0.2 - 127.127.127.127). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1. Affected products include: Monospace Directus.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today