Exploitation Summary
CVE-2024-24565 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.
Nuclei Templates (1)
CrateDB Database - Arbitrary File Read
MEDIUMVERIFIEDby DhiyaneshDK
FOFA:
title="CrateDB"
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96
Patch x_refsource_misc
https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6
Scores
CVSS v3
5.7
EPSS
0.0311
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
cratedb/cratedb
< 5.3.9
io.crate/crate
0 - 5.3.9Maven
Published
Jan 30, 2024
Tracked Since
Feb 18, 2026