{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.038Z", "datePublished": "2024-07-08T15:32:04.556Z", "dateUpdated": "2024-08-02T04:26:15.949Z"}, "containers": {"cna": {"title": "Directus has a Blind SSRF On File Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"}, {"name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 10.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T15:32:04.556Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3."}], "source": {"advisory": "GHSA-8p72-rcq4-h6pw", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "monospace", "product": "directus", "cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.9.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T18:12:46.359227Z", "id": "CVE-2024-39699", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T18:13:58.460Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.949Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"}, {"name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.949Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T18:12:46.359227Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"], "vendor": "monospace", "product": "directus", "versions": [{"status": "affected", "version": "0", "lessThan": "10.9.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T18:13:54.220Z"}}], "cna": {"title": "Directus has a Blind SSRF On File Import", "source": {"advisory": "GHSA-8p72-rcq4-h6pw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 10.9.3"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "name": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "name": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T15:32:04.556Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39699", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:26:15.949Z", "dateReserved": "2024-06-27T18:44:13.038Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T15:32:04.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7EF259E-D347-4839-8415-71B2588FD7DE", "versionEndExcluding": "10.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3."}, {"lang": "es", "value": "Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Ya se inform\u00f3 de una vulnerabilidad SSRF mediante la importaci\u00f3n de archivos. Se solucion\u00f3 resolviendo todos los nombres DNS y verificando si la IP solicitada es una direcci\u00f3n IP interna. Sin embargo, es posible saltarse esta medida de seguridad y ejecutar un SSRF mediante redireccionamientos. Directus permite redireccionamientos al importar archivos desde la URL y no verifica la URL del resultado. As\u00ed, es posible ejecutar una solicitud a una IP interna, por ejemplo a 127.0.0.1. Sin embargo, es SSRF ciego, porque Directus tambi\u00e9n utiliza la t\u00e9cnica de interceptaci\u00f3n de respuestas para obtener la informaci\u00f3n sobre la conexi\u00f3n desde el socket directamente y no muestra una respuesta si la direcci\u00f3n IP es interna. Esta vulnerabilidad se solucion\u00f3 en 10.9.3."}], "id": "CVE-2024-39699", "lastModified": "2024-11-21T09:28:14.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-08T16:15:08.917", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}