CVE-2024-24565

Name of the Vulnerable Software and Affected Versions CrateDB versions prior to 5.3.9 CrateDB versions prior to 5.4.8 CrateDB versions prior to 5.5.4 CrateDB versions prior to 5.6.1

Description The CrateDB database has a flaw in its COPY FROM function, which allows authenticated attackers to import arbitrary file content into database tables, resulting in information leakage. This issue can be exploited by using the COPY FROM function to read sensitive files, such as /etc/passwd or /crate/config/crate.yml, and then selecting the contents of the imported table. The vulnerability affects all current versions of the CrateDB database and can impact CrateDB Cloud Clusters.

Recommendations For versions prior to 5.3.9, update to version 5.3.9 or later. For versions prior to 5.4.8, update to version 5.4.8 or later. For versions prior to 5.5.4, update to version 5.5.4 or later. For versions prior to 5.6.1, update to version 5.6.1 or later. As a temporary workaround, consider restricting access to the COPY FROM function to minimize the risk of exploitation.