CrateDB database has an arbitrary file read vulnerability

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

对路径名的限制不恰当(路径遍历)

CrateDB 路径遍历漏洞

CrateDB是CrateDB公司的一个分布式且可扩展的 SQL 数据库。 CrateDB 5.3.9之前、5.4.8之前、5.5.4之前和 5.6.1之前版本存在路径遍历漏洞，该漏洞源于COPY FROM函数存在缺陷，攻击者利用该漏洞可以使用COPY FROM函数将任意文件内容导入到数据库表中，从而导致信息泄露。

N/A

N/A