Critical

qdrant

Arbitrary File Overwrite via Path Traversal in Snapshot Upload

A path traversal vulnerability in the `/collections/{name}/snapshots/upload` endpoint of qdrant/qdrant version 1.9.0-dev allows attackers to upload files to arbitrary locations, such as `/root/poc.txt`. The vulnerability was patched in version 1.9.0.

Available publicly on May 30 2024

9.8

CVE:

CVE-2024-3584

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

ozelis
AssessDetect

Premium

Remediate
Remediation Steps
  • Upgrade to qdrant version 1.9.0 or later.
  • As a temporary measure, restrict access to the vulnerable endpoint.
  • Review and sanitize all input parameters to prevent path traversal.
  • Regularly audit your systems for unauthorized modifications.
Patch Details
  • Fixed Version: v1.9.0
  • Patch Commit: https://github.com/qdrant/qdrant/commit/15479a45ffa3b955485ae516696f7e933a8cce8a
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.