Lucene search

Veracode Vulnerability DatabaseVERACODE:47397

HistoryJun 06, 2024 - 9:50 a.m.

Arbitrary File Read And Write

2024-06-0609:50:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

arbitrary file read

write manipulation

snapshot recovery

server security

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

qdrant-client is vulnerable to Arbitrary file read and write. The vulnerability is due to the snapshot recovery process allowing manipulation of snapshot files to include symlinks and also allows for the reading and writing of arbitrary files on the server.

CPENameOperatorVersion
qdrant-clientle1.8.2
qdrant-clientle1.8.2

CPE	Name	Operator	Version
	qdrant-client	le	1.8.2
	qdrant-client	le	1.8.2

References

github.com/advisories/GHSA-7m75-x27w-r52r

github.com/qdrant/qdrant/commit/ee7a31ec3459a6a4219200234615c1817ab82260

huntr.com/bounties/abd9c906-75ee-4d84-b76d-ce1386401e08

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47397