Cyber Resilience

CVE-2024-24565

MediumPublic PoC

Published: 30 January 2024

Published
30 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.8648 99.4th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24565 is a medium-severity Path Traversal (CWE-22) vulnerability in Cratedb Cratedb. Its CVSS base score is 5.7 (Medium).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CrateDB is a distributed SQL database that includes a COPY FROM function for importing external file data into database tables. The function is vulnerable to improper path handling classified under CWE-22, allowing an authenticated user to supply crafted input that reads arbitrary files on the underlying filesystem and loads their contents into database tables, resulting in information disclosure.

An attacker with low-privileged but authenticated network access can trigger the flaw by issuing a malicious COPY FROM statement; successful exploitation requires some user interaction and yields read access to sensitive files without modifying data or affecting availability.

The issue is fixed in CrateDB releases 5.3.9, 5.4.8, 5.5.4, and 5.6.1, as described in the project’s security advisory GHSA-475g-vj6c-xf96 and the corresponding code change that restricts file paths accepted by the COPY FROM implementation. The EPSS score has remained stable at its recorded peak of 0.8648 with no material upward movement after disclosure.

EU & UK References

Vulnerability details

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables.…

more

This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cratedb
cratedb
≤ 5.3.9 · 5.4.0 — 5.4.8 · 5.5.0 — 5.5.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References