CVE-2024-3829

Name of the Vulnerable Software and Affected Versions qdrant/qdrant version 1.9.0-dev

Description The issue allows for arbitrary file read and write during the snapshot recovery process. Attackers can exploit this by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot's directory structure. This could potentially lead to a full takeover of the system.

Recommendations For version 1.9.0-dev, update to version v1.9.0 to resolve the issue. As a temporary workaround, consider restricting access to the snapshot recovery process to minimize the risk of exploitation. Avoid using symlinks in snapshot files until the issue is resolved.