CVE-2024-2221

CVSS V2 None CVSS V3 None

Description

qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to potential remote code execution. This issue affects the integrity and availability of the system, enabling unauthorized access and potentially causing the server to malfunction.

Overview

CVE ID
CVE-2024-2221

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T17:07:59.396Z

Last Modified Date
2024-04-16T11:10:29.349Z

Weakness Enumerations

CWE	URL
CWE-434	http://cwe.mitre.org/data/definitions/434.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/6be8d4e3-67e6-4660-a8db-04215a1cff3e
https://github.com/qdrant/qdrant/commit/e6411907f0ecf3c2f8ba44ab704b9e4597d9705d

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-2221
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2221

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 23:54:01				Added to TrackCVE