CVE-2024-24565

MEDIUM NUCLEI

CrateDB Database - Arbitrary File Read

Title source: nuclei

Description

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

Nuclei Templates (1)

CrateDB Database - Arbitrary File Read

MEDIUMVERIFIEDby DhiyaneshDK

FOFA: title="CrateDB"

References (2)

[Patch] https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96

Scores

CVSS v3 5.7

EPSS 0.8648

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

cratedb/cratedb < 5.3.9

io.crate/crate 0 - 5.3.9Maven

Published Jan 30, 2024

Tracked Since Feb 18, 2026