Home > Vulnerability Database > CVE-2024-54151

Mend.io Vulnerability Database

CVE-2024-54151

Good to know:

Date: December 9, 2024

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting "WEBSOCKETS_GRAPHQL_AUTH" or "WEBSOCKETS_REST_AUTH" to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either "WEBSOCKETS_GRAPHQL_AUTH" or "WEBSOCKETS_REST_AUTH" set to "public" allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.

Language: TYPE_SCRIPT

Severity Score

7.5

Related Resources (5)

Url: https://github.com/directus/directus/security/advisories/GHSA-849r-qrwj-8rv4

Url: https://github.com/directus/directus

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-54151

Url: https://github.com/directus/directus/commit/ce0397d16cf767b5293cd57f626c5349b5732a21

Url: https://www.mend.io/vulnerability-database/CVE-2024-54151

Severity Score

7.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

Upgrade Version

Upgrade to version directus - 11.3.0;@directus/api - 23.2.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-54151

Good to know:

Date: December 9, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?