GHSA-68g8-c275-xf2m

Suggest an improvement
Source
https://github.com/advisories/GHSA-68g8-c275-xf2m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-68g8-c275-xf2m/GHSA-68g8-c275-xf2m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-68g8-c275-xf2m
Aliases
Published
2024-09-18T17:42:05Z
Modified
2024-09-18T19:25:25Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Directus vulnerable to SSRF Loopback IP filter bypass
Details

Impact

If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices (like 127.0.0.2 - 127.127.127.127)

Workaround

You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any 127.X.X.X ip instead of just 127.0.0.1.

Database specific
{
    "nvd_published_at": "2024-09-18T17:15:19Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T17:42:05Z"
}
References

Affected packages

npm / directus

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.13.3

npm / directus

Package

Affected ranges

Type
SEMVER
Events
Introduced
11.0.0
Fixed
11.1.0

npm / @directus/api

Package

Name
@directus/api
View open source insights on deps.dev
Purl
pkg:npm/%40directus/api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
21.0.0

npm / @directus/api

Package

Name
@directus/api
View open source insights on deps.dev
Purl
pkg:npm/%40directus/api

Affected ranges

Type
SEMVER
Events
Introduced
22.0.0
Fixed
22.1.1