Information Exposure Affecting @directus/api package, versions >=22.2.0 <23.2.0
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-DIRECTUSAPI-8492718
- published10 Dec 2024
- disclosed9 Dec 2024
- creditSean Goff, fishuke
Introduced: 9 Dec 2024
NewCVE-2024-54151 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @directus/api to version 23.2.0 or higher.
Overview
@directus/api is a real-time API and App dashboard for managing SQL database content
Affected versions of this package are vulnerable to Information Exposure due to the configuration settings WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH being set to "public". An attacker can perform any supported operations such as CRUD and subscriptions with full admin privileges by exploiting these settings.