漏洞标题
在qdrant/qdrant快照恢复期间的任意文件读写
漏洞描述信息
Qdrant/Qdrant版本1.9.0-dev在快照恢复过程中存在任意文件读写漏洞。攻击者可以通过操纵快照文件,使其包含符号链接,从而通过添加指向文件系统中所需文件的符号链接来实现任意文件读取,并通过在快照目录结构中包含符号链接和payload文件来实现任意文件写入。该漏洞允许在服务器上读取和写入任意文件,这可能会导致系统被完全接管。此问题已在版本v1.9.0中修复。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
在文件访问前对链接解析不恰当(链接跟随)
漏洞标题
Arbitrary File Read and Write during Snapshot Recovery in qdrant/qdrant
漏洞描述信息
qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot's directory structure. This vulnerability allows for the reading and writing of arbitrary files on the server, which could potentially lead to a full takeover of the system. The issue is fixed in version v1.9.0.
CVSS信息
N/A
漏洞类别
输入验证不恰当
漏洞标题
Qdrant 输入验证错误漏洞
漏洞描述信息
Qdrant是一个矢量相似性搜索引擎和矢量数据库。 Qdrant 1.9.0-dev版本存在输入验证错误漏洞,该漏洞源于容易受到任意文件读写攻击,攻击者可以在服务器上读取和写入任意文件,可能会导致系统被完全接管。
CVSS信息
N/A
漏洞类别
输入验证错误