CVE-2024-46990

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-46990

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46990.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-46990

Aliases

GHSA-68g8-c275-xf2m

Published

2024-09-18T16:55:24.255Z

Modified

2026-06-15T12:23:09.272149598Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

SSRF Loopback IP filter bypass in directus

Details

Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices (like 127.0.0.2 - 127.127.127.127). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46990.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type

GIT

Repo

https://github.com/directus/directus

Events

Introduced

Fixed

7dc377f8fd7a3811e19291a2521d775498455422

Introduced

2b02764ac8a4aac3df7764ca935ad7f9e48581b7

Fixed

1b1ab7713e543d491a8320fd2e337e96134df2dd

Fixed

4aace0bbe57232e38cd6a287ee475293e46dc91b

Fixed

769fa22797bff5a9231599883b391e013f122e52

Fixed

8cbf943b65fd4a763d09a5fdbba8996b1e7797ff

Fixed

c1f3ccc681595038d094ce110ddeee38cb38f431

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.13.3"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.1.0"
        }
    ],
    "cpe": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

10.*

10.11.2

v10.*

v10.0.0

v10.1.0

v10.1.1

v10.10.0

v10.10.1

v10.10.2

v10.10.3

v10.10.4

v10.10.5

v10.10.6

v10.10.7

v10.11.0

v10.11.1

v10.11.2

v10.12.1

v10.13.0

v10.13.1

v10.13.2

v10.2.0

v10.2.1

v10.3.0

v10.4.0

v10.4.2

v10.4.3

v10.5.0

v10.5.1

v10.5.2

v10.5.3

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.7.0

v10.7.1

v10.7.2

v10.8.0

v10.8.1

v10.8.2

v10.8.3

v10.9.0

v10.9.1

v10.9.2

v10.9.3

v11.*

v11.0.0

v11.0.1

v11.0.2

v9.*

v9.0.0

v9.0.0-alpha.10

v9.0.0-alpha.14

v9.0.0-alpha.15

v9.0.0-alpha.16

v9.0.0-alpha.17

v9.0.0-alpha.18

v9.0.0-alpha.20

v9.0.0-alpha.21

v9.0.0-alpha.22

v9.0.0-alpha.23

v9.0.0-alpha.24

v9.0.0-alpha.25

v9.0.0-alpha.26

v9.0.0-alpha.27

v9.0.0-alpha.31

v9.0.0-alpha.32

v9.0.0-alpha.33

v9.0.0-alpha.34

v9.0.0-alpha.36

v9.0.0-alpha.37

v9.0.0-alpha.38

v9.0.0-alpha.39

v9.0.0-alpha.4

v9.0.0-alpha.40

v9.0.0-alpha.41

v9.0.0-alpha.42

v9.0.0-alpha.5

v9.0.0-alpha.6

v9.0.0-alpha.7

v9.0.0-alpha.8

v9.0.0-alpha.9

v9.0.0-beta.0

v9.0.0-beta.1

v9.0.0-beta.10

v9.0.0-beta.11

v9.0.0-beta.12

v9.0.0-beta.13

v9.0.0-beta.14

v9.0.0-beta.2

v9.0.0-beta.3

v9.0.0-beta.4

v9.0.0-beta.5

v9.0.0-beta.7

v9.0.0-beta.8

v9.0.0-beta.9

v9.0.0-rc.0

v9.0.0-rc.1

v9.0.0-rc.10

v9.0.0-rc.100

v9.0.0-rc.101

v9.0.0-rc.11

v9.0.0-rc.12

v9.0.0-rc.13

v9.0.0-rc.14

v9.0.0-rc.15

v9.0.0-rc.17

v9.0.0-rc.18

v9.0.0-rc.19

v9.0.0-rc.2

v9.0.0-rc.20

v9.0.0-rc.21

v9.0.0-rc.22

v9.0.0-rc.23

v9.0.0-rc.24

v9.0.0-rc.25

v9.0.0-rc.26

v9.0.0-rc.27

v9.0.0-rc.28

v9.0.0-rc.29

v9.0.0-rc.3

v9.0.0-rc.30

v9.0.0-rc.31

v9.0.0-rc.32

v9.0.0-rc.33

v9.0.0-rc.34

v9.0.0-rc.35

v9.0.0-rc.36

v9.0.0-rc.37

v9.0.0-rc.38

v9.0.0-rc.39

v9.0.0-rc.4

v9.0.0-rc.40

v9.0.0-rc.41

v9.0.0-rc.42

v9.0.0-rc.43

v9.0.0-rc.44

v9.0.0-rc.45

v9.0.0-rc.46

v9.0.0-rc.47

v9.0.0-rc.48

v9.0.0-rc.49

v9.0.0-rc.5

v9.0.0-rc.50

v9.0.0-rc.51

v9.0.0-rc.52

v9.0.0-rc.53

v9.0.0-rc.54

v9.0.0-rc.55

v9.0.0-rc.56

v9.0.0-rc.57

v9.0.0-rc.58

v9.0.0-rc.59

v9.0.0-rc.6

v9.0.0-rc.60

v9.0.0-rc.61

v9.0.0-rc.62

v9.0.0-rc.63

v9.0.0-rc.64

v9.0.0-rc.65

v9.0.0-rc.66

v9.0.0-rc.67

v9.0.0-rc.68

v9.0.0-rc.69

v9.0.0-rc.7

v9.0.0-rc.70

v9.0.0-rc.71

v9.0.0-rc.72

v9.0.0-rc.73

v9.0.0-rc.74

v9.0.0-rc.75

v9.0.0-rc.76

v9.0.0-rc.77

v9.0.0-rc.78

v9.0.0-rc.79

v9.0.0-rc.8

v9.0.0-rc.80

v9.0.0-rc.81

v9.0.0-rc.82

v9.0.0-rc.83

v9.0.0-rc.84

v9.0.0-rc.85

v9.0.0-rc.86

v9.0.0-rc.87

v9.0.0-rc.88

v9.0.0-rc.89

v9.0.0-rc.9

v9.0.0-rc.90

v9.0.0-rc.91

v9.0.0-rc.92

v9.0.0-rc.93

v9.0.0-rc.94

v9.0.0-rc.95

v9.0.0-rc.96

v9.0.0-rc.97

v9.0.0-rc.98

v9.0.0-rc.99

v9.0.0-y.0

v9.0.1

v9.1.0

v9.1.1

v9.1.2

v9.10.0

v9.11.0

v9.11.1

v9.12.0

v9.12.1

v9.12.2

v9.13.0

v9.14.1

v9.14.2

v9.14.3

v9.14.4

v9.14.5

v9.15.0

v9.15.1

v9.16.0

v9.16.1

v9.17.0

v9.17.1

v9.17.2

v9.17.3

v9.17.4

v9.18.0

v9.18.1

v9.19.0

v9.19.1

v9.19.2

v9.2.0

v9.2.1

v9.2.2

v9.20.0

v9.20.1

v9.20.2

v9.20.3

v9.20.4

v9.21.0

v9.21.1

v9.21.2

v9.22.0

v9.22.1

v9.22.2

v9.22.3

v9.22.4

v9.23.0

v9.23.1

v9.23.2

v9.23.3

v9.23.4

v9.24.0

v9.25.0

v9.25.1

v9.25.2

v9.26.0

v9.3.0

v9.4.0

v9.4.1

v9.4.2

v9.4.3

v9.5.0

v9.5.1

v9.5.2

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

v9.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46990.json"