CVE-2024-46990

Summary

CVE-2024-46990 is a medium-severity vulnerability affecting Directus, a real-time API and application dashboard for SQL database management. The flaw arises from improper access control, allowing users to circumvent localhost restrictions by using other loopback addresses, such as 127.0.0.2 to 127.127.127.127. To remediate this issue, users should upgrade to versions 10.13.3 or 11.1.0, or alternatively block access to the entire 127.0.0.0/8 CIDR range if they cannot upgrade. The vulnerability poses a low confidentiality impact but requires low privileges for exploitation, making it accessible via network attack vectors without user interaction. Affected products include multiple versions of Directus deployments which may expose sensitive data if not addressed promptly.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.