Lucene search

MitreCVE-2021-26595

HistoryFeb 23, 2021 - 7:15 p.m.

CVE-2021-26595

2021-02-2319:15:13

CWE-312

mitre

web.nvd.nist.gov

cve-2021-26595

directus 8.x

information disclosure

sensitive information

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

47.4%

JSON

In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Affected configurations

Nvd

Node

rangerstudiodirectusRange8.0.0–8.8.1

VendorProductVersionCPE
rangerstudiodirectus*cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rangerstudio	directus	*	cpe:2.3:a:rangerstudio:directus::::::::

References

github.com/sgranel/directusv8

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

47.4%

JSON

Related for CVE-2021-26595