CVE-2023-45820

Опубликовано: 19 окт. 2023

Источник: nvd

CVSS3: 5.9

CVSS3: 6.5

EPSS Низкий

Описание

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has been addressed in version 10.6.2. Users are advised to upgrade. Users unable to upgrade should avoid using websockets.

Ссылки

https://github.com/directus/directus/commit/243eed781b42d6b4948ddb8c3792bcf5b44f55bb
Patch
https://github.com/directus/directus/security/advisories/GHSA-hmgw-9jrg-hf2m
Exploit
Vendor Advisory
https://github.com/directus/directus/commit/243eed781b42d6b4948ddb8c3792bcf5b44f55bb
Patch
https://github.com/directus/directus/security/advisories/GHSA-hmgw-9jrg-hf2m
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

Версия от 10.4.0 (включая) до 10.6.2 (исключая)

EPSS

Процентиль: 58%

0.0036

Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-755

Связанные уязвимости

GHSA-hmgw-9jrg-hf2m

CVSS3: 7.5

github

больше 2 лет назад

Directus crashes on invalid WebSocket message

EPSS

Процентиль: 58%

0.0036

Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-755