CVE-2024-27296: Directus version number disclosure

March 1, 2024

Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

Patches

The problem has been resolved in versions 10.8.3 and newer

Workarounds

None

References

github.com/advisories/GHSA-5mhg-wv8w-p59j
github.com/directus/directus
github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
nvd.nist.gov/vuln/detail/CVE-2024-27296

Code Behaviors & Features

Detect and mitigate CVE-2024-27296 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →