CVE-2024-24565 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-24565

CVE-2024-24565

January 30, 2024

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

Related Resources (8)

https://github.com/crate/crate/commit/32d0fc2ebb834ea324eb7ab5d01320a67bc5c3c7

https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96

https://github.com/crate/crate

https://github.com/crate/crate/commit/b75aeeabf90f51bd96ddb499903928fd10185207

https://github.com/crate/crate/commit/c4c97d5a1c52cc2250ea42d062a3d37550c19dd5

https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6

https://github.com/crate/crate/commit/c5034323f1b56ca5d04b8ef4c6029eb63a5ba172

https://nvd.nist.gov/vuln/detail/CVE-2024-24565

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

EPSS

Base Score:

84.06

Products

Solutions

Resources

Company

Compare

Developer Tools