CVE-2024-27296

MEDIUM5.3EPSS 0.44%

Directus version number disclosure

Published: 3/1/2024Modified: 3/1/2024

Description

### Impact Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. ### Patches The problem has been resolved in versions 10.8.3 and newer ### Workarounds None

Affected packages (1)

npm/directusfrom 0, < 10.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-27296
PATCHhttps://github.com/directus/directus
WEBhttps://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
WEBhttps://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j