CVE-2024-24565 PoC — CrateDB 路径遍历漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-24565.yaml

Associated Vulnerability

Title:CrateDB 路径遍历漏洞 (CVE-2024-24565)
Description:CrateDB是CrateDB公司的一个分布式且可扩展的 SQL 数据库。 CrateDB 5.3.9之前、5.4.8之前、5.5.4之前和 5.6.1之前版本存在路径遍历漏洞，该漏洞源于COPY FROM函数存在缺陷，攻击者利用该漏洞可以使用COPY FROM函数将任意文件内容导入到数据库表中，从而导致信息泄露。

Description

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage.

File Snapshot


 id: CVE-2024-24565

info:
  name: CrateDB Database - Arbitrary File Read
  author: DhiyaneshDK
  sev

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!