cve/2024/CVE-2024-46990.md

### [CVE-2024-46990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46990)
![](https://img.shields.io/static/v1?label=Product&message=directus&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2010.13.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2011.0.0%2C%20%3C%2011.1.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-284%3A%20Improper%20Access%20Control&color=brightgreen)

### Description

Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds