GHSA-68g8-c275-xf2m

Source

https://github.com/advisories/GHSA-68g8-c275-xf2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-68g8-c275-xf2m/GHSA-68g8-c275-xf2m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-68g8-c275-xf2m

Aliases

CVE-2024-46990

Published

2024-09-18T17:42:05Z

Modified

2024-09-18T19:25:25Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

Directus vulnerable to SSRF Loopback IP filter bypass

Details

Impact

If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices (like 127.0.0.2 - 127.127.127.127)

Workaround

You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1.

References

Affected packages

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.13.3

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

11.0.0

Fixed

11.1.0

npm / @directus/api

Package

Name: @directus/api; View open source insights on deps.dev
Purl: pkg:npm/%40directus/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

21.0.0