CVE-2023-45820 : What You Need to Know
In affected versions, Directus crashes when receiving an invalid WebSocket message, allowing malicious actors to exploit the vulnerability. Upgrade to version 10.6.2 to prevent exploitation.
Directus crashes on invalid WebSocket message.
Understanding CVE-2023-45820
Directus, a real-time API and App dashboard for managing SQL database content, is prone to crashes when it receives an invalid WebSocket message.
What is CVE-2023-45820?
In affected versions of Directus, if the websocket server receives an invalid frame, it can lead to the crashing of any Directus installation with websockets enabled. This vulnerability can be exploited by a malicious user to crash Directus installations.
The Impact of CVE-2023-45820
The impact of this CVE is rated as MEDIUM severity with a CVSS base score of 5.9. The availability impact is rated as HIGH.
Technical Details of CVE-2023-45820
Vulnerability Description
The vulnerability (CWE-755) arises from the improper handling of exceptional conditions when Directus receives an invalid WebSocket message, leading to crashes.
Affected Systems and Versions
Directus versions >=10.4 and < 10.6.2 are affected by this vulnerability.
Exploitation Mechanism
A malicious actor can exploit this vulnerability by sending an invalid WebSocket message to the Directus websocket server, causing a crash.
Mitigation and Prevention
Immediate Steps to Take
Users are strongly advised to upgrade to version 10.6.2 to mitigate this vulnerability. For users unable to upgrade, it is recommended to disable the use of websockets to prevent exploitation.
Long-Term Security Practices
Regularly updating Directus to the latest version and following best security practices can help prevent such vulnerabilities in the future.
Patching and Updates
The issue has been addressed in version 10.6.2 of Directus, and users are urged to update to this version to safeguard their installations.