Improper Access Control
CVE-2024-46990
Summary
Directus is a real-time API and app dashboard for managing SQL database content. When relying on blocking access to localhost using the default "0.0.0.0" filter, a user may bypass this block by using other registered loopback devices (like "127.0.0.2" - "127.127.127.127"). The vulnerability affects @directus/api versions through 21.0.0 and 22.0.0 through 22.1.1, and directus versions through 10.13.2 and 11.0.0 through 11.0.2. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the "127.0.0.0/8" CIDR range, which will block access to any "127.X.X.X" IP instead of just "127.0.0.1".
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- LOW
- LOW
- NONE
CWE-284 - Improper Access Control
Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.
References
Advisory Timeline
- Published
