Lucene search

@huntr_aiCVELIST:CVE-2024-3584

HistoryMay 30, 2024 - 12:33 p.m.

CVE-2024-3584 Path Traversal in qdrant/qdrant

2024-05-3012:33:21

CWE-20

@huntr_ai

www.cve.org

qdrant

1.9.0-dev

path traversal

input validation

snapshots

url encoding

arbitrary file

server takeover

system vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

Percentile

9.0%

JSON

qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the /collections/{name}/snapshots/upload endpoint. By manipulating the name parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as /root/poc.txt. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0.

CNA Affected

[
  {
    "vendor": "qdrant",
    "product": "qdrant/qdrant",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "v1.9.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/qdrant/qdrant/commit/15479a45ffa3b955485ae516696f7e933a8cce8a

huntr.com/bounties/5c7c82e2-4873-40b7-a5f3-0f4a42642f73

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-3584