7.5

CVE-2024-39896

Exploit

EPSS 0.53%
Veröffentlicht 08.07.2024 18:15:08
Zuletzt bearbeitet 03.01.2025 16:30:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version < 10.13.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.667

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2

Patch

https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-39896

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39896

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39896

EUVD