CVE-2024-3584

Exploit

EPSS 0.39%
Veröffentlicht 30.05.2024 13:15:49
Zuletzt bearbeitet 10.07.2025 18:21:56
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qdrant ≫ Qdrant Version < 1.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.593

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@huntr.dev	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/qdrant/qdrant/commit/15479a45ffa3b955485ae516696f7e933a8cce8a

Patch

https://huntr.com/bounties/5c7c82e2-4873-40b7-a5f3-0f4a42642f73

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-3584

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3584

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3584

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3584