CVE-2024-27296: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to have a version disclosure vulnerability in versions prior to 10.8.3. The vulnerability was discovered and disclosed on March 1, 2024, affecting all versions up to and including 10.8.2. The exact Directus version number was being shipped in compiled JS bundles which were accessible without authentication (GitHub Advisory).

The vulnerability is tracked as CVE-2024-27296 with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability is characterized by Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, Low confidentiality impact, and No impact on integrity or availability. The weakness is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The exposure of the exact version number allows malicious attackers to trivially identify known vulnerabilities in Directus core or any of its shipped dependencies for that specific running version. This information disclosure could potentially facilitate targeted attacks against vulnerable installations (GitHub Advisory).

The vulnerability has been patched in Directus version 10.8.3 and newer versions. No workarounds are available for this vulnerability, making upgrading to a patched version the only solution (GitHub Advisory).