PT-2024-32325 · Directus · Directus
R3Dpower
·
Published
2024-09-18
·
Updated
2025-11-17
·
CVE-2024-46990
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Directus versions prior to 10.13.3
Directus versions prior to 11.1.0
Description
The issue allows a user to bypass the block on localhost access by using other registered loopback devices, such as
127.0.0.2 through 127.127.127.127. This can be exploited to achieve full SSRF. The problem arises when relying on the default 0.0.0.0 filter to block access to localhost.Recommendations
For versions prior to 10.13.3, upgrade to version 10.13.3 or later.
For versions prior to 11.1.0, upgrade to version 11.1.0 or later.
As a temporary workaround for users unable to upgrade, manually add the
127.0.0.0/8 CIDR range to block access to any 127.X.X.X IP instead of just 127.0.0.1.Exploit
Fix
Improper Access Control
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Directus