Security
Headlines

Headlines Latest CVEs

Headline

GHSA-5mhg-wv8w-p59j: Directus version number disclosure

Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

Patches

The problem has been resolved in versions 10.8.3 and newer

Workarounds

None

8 months ago

#vulnerability #nodejs #js #git #auth

Package

npm directus (npm)

Affected versions

<= 10.8.2

Description

Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

Patches

The problem has been resolved in versions 10.8.3 and newer

Workarounds

None

References

GHSA-5mhg-wv8w-p59j
https://nvd.nist.gov/vuln/detail/CVE-2024-27296
directus/directus@a5a1c26

Published to the GitHub Advisory Database

Mar 1, 2024

ghsa: Latest News

GHSA-g85v-wf27-67xc: Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

2 hours ago

GHSA-8495-4g3g-x7pr: aiohttp allows request smuggling due to incorrect parsing of chunk extensions

5 hours ago

GHSA-27mf-ghqm-j3j8: aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

5 hours ago

GHSA-jp37-5qhw-mffw: Sharks has a Bias of Polynomial Coefficients in Secret Sharing

6 hours ago

GHSA-vggm-3478-vm5m: Graylog concurrent PDF report rendering can leak other users' reports

6 hours ago