CVE-2024-46990: Directus vulnerable to SSRF Loopback IP filter bypass
If you’re relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices (like 127.0.0.2 - 127.127.127.127)
References
- github.com/advisories/GHSA-68g8-c275-xf2m
- github.com/directus/directus
- github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
- github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
- github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
- github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
- github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
- nvd.nist.gov/vuln/detail/CVE-2024-46990
Detect and mitigate CVE-2024-46990 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →