GHSA-5mhg-wv8w-p59j

Source

https://github.com/advisories/GHSA-5mhg-wv8w-p59j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5mhg-wv8w-p59j/GHSA-5mhg-wv8w-p59j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5mhg-wv8w-p59j

Aliases

CVE-2024-27296

Published

2024-03-01T20:11:05Z

Modified

2024-03-01T20:26:40.084875Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Directus version number disclosure

Details

Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

Patches

The problem has been resolved in versions 10.8.3 and newer

Workarounds

None

References

Affected packages

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.8.3

Database specific

{
    "last_known_affected_version_range": "<= 10.8.2"
}