CVE-2024-24565

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-24565
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

5.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 Patch
https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 Exploit Vendor Advisory
https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 Patch
https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:59

Type Values Removed Values Added
References () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - Patch () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - Patch
References () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - Exploit, Vendor Advisory () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 5.7

05 Feb 2024, 20:55

Type Values Removed Values Added
References () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - Patch
References () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - Exploit, Vendor Advisory
First Time Cratedb
Cratedb cratedb
CPE cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 5.7 		v2 : unknown
v3 : 6.5

30 Jan 2024, 20:48

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-30 17:15

Updated : 2024-11-21 08:59

NVD link : CVE-2024-24565

Mitre link : CVE-2024-24565

CVE.ORG link : CVE-2024-24565

JSON object : View

Products Affected

cratedb

  • cratedb
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')