CVE-2024-24565

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-24565
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 Patch
https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
History

05 Feb 2024, 20:55

Type Values Removed Values Added
Summary
  • (es) CrateDB es una base de datos SQL distribuida que simplifica el almacenamiento y análisis de cantidades masivas de datos en tiempo real. Hay una función COPIAR DESDE en la base de datos CrateDB que se utiliza para importar datos de archivos a tablas de bases de datos. Esta función tiene un defecto y los atacantes autenticados pueden utilizar la función COPIAR DE para importar contenido de archivos arbitrario en tablas de bases de datos, lo que provoca una fuga de información. Esta vulnerabilidad está parcheada en 5.3.9, 5.4.8, 5.5.4 y 5.6.1.
CPE cpe:2.3:a:cratedb:cratedb:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 5.7 		v2 : unknown
v3 : 6.5
First Time Cratedb cratedb
Cratedb
References () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - () https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 - Patch
References () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - () https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 - Exploit, Vendor Advisory

30 Jan 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-30 17:15

Updated : 2024-02-05 20:55

NVD link : CVE-2024-24565

Mitre link : CVE-2024-24565

CVE.ORG link : CVE-2024-24565

JSON object : View

Products Affected

cratedb

  • cratedb
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')