QID 995648

Date Published: 2023-10-25

QID 995648: NodeJs (Npm) Security Update for directus (GHSA-hmgw-9jrg-hf2m)

It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix (if only I had some extra time...), but I decided to instead post as a vulnerability just for the maintainers, since this seemingly can be used to crash any live Directus server if websockets are enabled, so public disclosure is not a good idea until the issue is fixed.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as High - 6.5 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Refer to Github security advisory GHSA-hmgw-9jrg-hf2m for updates and patch information.

Vendor References

GHSA-hmgw-9jrg-hf2m - github.com/advisories/GHSA-hmgw-9jrg-hf2m

CVEs related to QID 995648

CVE-2023-45820 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-hmgw-9jrg-hf2m	directus		github.com/advisories/GHSA-hmgw-9jrg-hf2m

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].