Miggo Logo
Miggo Vulnerability Database
CVE-2024-27296

CVE-2024-27296: Directus version number disclosure

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27296
GHSA ID
GHSA-5mhg-wv8w-p59j
EPSS Score
0.47856%
CWE
CWE-200
Published
3/1/2024
Updated
3/1/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
directusnpm<= 10.8.210.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from hardcoded version references through the DIRECTUS_VERSION constant, which was injected via Vite's build process. The init function in main.ts used this constant for logging, and navigation.vue used it in UI rendering - both embedding the version in client-side JS bundles. The commit patched this by removing these direct references and moving version fetching to authenticated API calls in server.ts. These functions were clearly identified as vulnerable through their direct use of the build-injected constant that exposed version information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urr*ntly t** *x**t *ir**tus v*rsion num**r is **in* s*ipp** in *ompil** JS *un*l*s w*i** *r* ****ssi*l* wit*out *ut**nti**tion. Wit* t*is in*orm*tion * m*li*ious *tt**k*r **n trivi*lly look *or known vuln*r**iliti*s in *ir**tus *or* or *

Reasoning

T** vuln*r**ility st*mm** *rom **r**o*** v*rsion r***r*n**s t*rou** t** __*IR**TUS_V*RSION__ *onst*nt, w*i** w*s inj**t** vi* Vit*'s *uil* pro**ss. T** init *un*tion in m*in.ts us** t*is *onst*nt *or lo**in*, *n* n*vi**tion.vu* us** it in UI r*n**rin