Vulnerability Description
In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rangerstudio | Directus 7 Api | <= 2.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/directus/api/issues/986ExploitIssue TrackingThird Party Advisory
- https://github.com/directus/api/issues/987Issue TrackingThird Party Advisory
- https://github.com/directus/api/issues/986ExploitIssue TrackingThird Party Advisory
- https://github.com/directus/api/issues/987Issue TrackingThird Party Advisory
FAQ
What is CVE-2019-13981?
CVE-2019-13981 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which ...
How severe is CVE-2019-13981?
CVE-2019-13981 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13981?
Check the references section above for vendor advisories and patch information. Affected products include: Rangerstudio Directus 7 Api.