CVE-2022-23080

CVE-2022-23080: directus - SSRF which leads to internal port scan

Vendor Directus

Product directus

Weakness CWE-918 · SSRF

Published June 22, 2022

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

Key dates

02Disclosure timeline

June 22, 2022 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23080 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2026-9372 ItzCrazyKns Vane Model Provider API route.ts server-side request forgery CVE-2026-45061 Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) CVE-2026-39647 WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2020-26258 Server-Side Forgery Request can be activated unmarshalling with XStream CVE-2026-6229 Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter

Identifiers

CVE CVE-2022-23080

CWE CWE-918

Affected versions

Vendor Directus

Product directus

Affected ≥ v9.0.0-beta.10 and < unspecified

Vendor Directus

Product directus

Affected ≥ unspecified and ≤ v9.6.0