Qdrant hasta 1.6.1/1.7.4/1.8.2 Full Snapshot REST API snapshots.rs directory traversal

ArtículoHistoryjsonxmlCTI

Una vulnerabilidad fue encontrada en Qdrant hasta 1.6.1/1.7.4/1.8.2 y clasificada como crítica. Una función desconocida del archivo lib/collection/src/collection/snapshots.rs del componente Full Snapshot REST API es afectada por esta vulnerabilidad. Por la manipulación de un input desconocido se causa una vulnerabilidad de clase directory traversal. El advisory puede ser descargado de github.com. La vulnerabilidad es identificada como CVE-2024-3078. El ataque se puede efectuar en la red local. Los detalles técnicos son conocidos. Fue declarado como no está definido. Una actualización a la versión 1.8.3 elimina esta vulnerabilidad. La actualización se puede descargar de github.com. El parche puede ser descargado de github.com. El mejor modo sugerido para mitigar el problema es actualizar a la última versión. Una solución posible ha sido publicada incluso antes y no después de la publicación de la vulnerabilidad.

Campo	2024-03-29 08:16	2024-05-07 17:57	2024-05-07 18:04
name	Qdrant	Qdrant	Qdrant
version	<=1.6.1/1.7.4/1.8.2	<=1.6.1/1.7.4/1.8.2	<=1.6.1/1.7.4/1.8.2
component	Full Snapshot REST API	Full Snapshot REST API	Full Snapshot REST API
file	lib/collection/src/collection/snapshots.rs	lib/collection/src/collection/snapshots.rs	lib/collection/src/collection/snapshots.rs
cwe	22 (directory traversal)	22 (directory traversal)	22 (directory traversal)
risk	2	2	2
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	3856/3867	3856/3867	3856/3867
url	https://github.com/qdrant/qdrant/pull/3856	https://github.com/qdrant/qdrant/pull/3856	https://github.com/qdrant/qdrant/pull/3856
name	Upgrade	Upgrade	Upgrade
upgrade_version	1.8.3	1.8.3	1.8.3
upgrade_url	https://github.com/qdrant/qdrant/releases/tag/v1.8.3	https://github.com/qdrant/qdrant/releases/tag/v1.8.3	https://github.com/qdrant/qdrant/releases/tag/v1.8.3
patch_name	3ab5172e9c8f14fa1f7b24e7147eac74e2412b62	3ab5172e9c8f14fa1f7b24e7147eac74e2412b62	3ab5172e9c8f14fa1f7b24e7147eac74e2412b62
patch_url	https://github.com/qdrant/qdrant/commit/3ab5172e9c8f14fa1f7b24e7147eac74e2412b62	https://github.com/qdrant/qdrant/commit/3ab5172e9c8f14fa1f7b24e7147eac74e2412b62	https://github.com/qdrant/qdrant/commit/3ab5172e9c8f14fa1f7b24e7147eac74e2412b62
advisoryquote	Fix arbitrary path traversal vulnerability in full snapshot REST API (#3856)	Fix arbitrary path traversal vulnerability in full snapshot REST API (#3856)	Fix arbitrary path traversal vulnerability in full snapshot REST API (#3856)
cve	CVE-2024-3078	CVE-2024-3078	CVE-2024-3078
responsible	VulDB	VulDB	VulDB
date	1711666800 (2024-03-29)	1711666800 (2024-03-29)	1711666800 (2024-03-29)
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss4_vuldb_ac	L	L	L
cvss4_vuldb_ui	N	N	N
cvss4_vuldb_vc	L	L	L
cvss4_vuldb_vi	L	L	L
cvss4_vuldb_va	L	L	L
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_e	X	X	X
cvss4_vuldb_av	A	A	A
cvss4_vuldb_at	N	N	N
cvss4_vuldb_pr	L	L	L
cvss4_vuldb_sc	N	N	N
cvss4_vuldb_si	N	N	N
cvss4_vuldb_sa	N	N	N
cvss4_vuldb_e	X	X	X
cvss2_vuldb_basescore	5.2	5.2	5.2
cvss2_vuldb_tempscore	4.5	4.5	4.5
cvss3_vuldb_basescore	5.5	5.5	5.5
cvss3_vuldb_tempscore	5.3	5.3	5.3
cvss3_meta_basescore	5.5	5.5	5.5
cvss3_meta_tempscore	5.3	5.3	5.4
cvss4_vuldb_bscore	5.1	5.1	5.1
cvss4_vuldb_btscore	5.1	5.1	5.1
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1711666800 (2024-03-29)	1711666800 (2024-03-29)
cve_nvd_summary		A vulnerability was found in Qdrant up to 1.6.1/1.7.4/1.8.2 and classified as critical. This issue affects some unknown processing of the file lib/collection/src/collection/snapshots.rs of the component Full Snapshot REST API. The manipulation leads to path traversal. Upgrading to version 1.8.3 is able to address this issue. The patch is named 3ab5172e9c8f14fa1f7b24e7147eac74e2412b62. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-258611.	A vulnerability was found in Qdrant up to 1.6.1/1.7.4/1.8.2 and classified as critical. This issue affects some unknown processing of the file lib/collection/src/collection/snapshots.rs of the component Full Snapshot REST API. The manipulation leads to path traversal. Upgrading to version 1.8.3 is able to address this issue. The patch is named 3ab5172e9c8f14fa1f7b24e7147eac74e2412b62. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-258611.
cvss2_nvd_av			A
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			P
cvss2_nvd_ii			P
cvss2_nvd_ai			P
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss2_nvd_basescore			5.2
cvss3_cna_basescore			5.5

◂ Anterior Visión De Conjunto Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!