Critical

qdrant

Arbitrary File Overwrite via Path Traversal in Snapshot Upload

A path traversal vulnerability in the `/collections/{name}/snapshots/upload` endpoint of qdrant/qdrant version 1.9.0-dev allows attackers to upload files to arbitrary locations, such as `/root/poc.txt`. The vulnerability was patched in version 1.9.0.

Available publicly on May 30 2024

9.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

ozelis
Threat Overview

The vulnerability stems from improper input validation in the name parameter of the snapshot upload endpoint. By URL-encoding directory traversal sequences (../) and appending them to the name parameter, an attacker can escape the intended directory and specify an arbitrary file path for the uploaded file. This can lead to unauthorized file write or overwrite, which could be exploited to achieve remote code execution (RCE) by overwriting critical system files or executables.

Attack Scenario

An attacker first crafts a request to the vulnerable endpoint, encoding the name parameter to traverse to a target directory (e.g., /root). They then specify a filename and file contents to be uploaded. If the server processes this request, the file is written to the specified location outside the intended directory. This can be leveraged to overwrite critical files or deploy malicious payloads, potentially leading to full system compromise.

Who is affected

Systems running qdrant/qdrant version 1.9.0-dev are vulnerable. This includes servers where the qdrant service is exposed to untrusted networks, potentially allowing remote attackers to exploit this vulnerability.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.