CVE-2024-3584

Name of the Vulnerable Software and Affected Versions: qdrant/qdrant version 1.9.0-dev

Description: The issue is related to improper input validation in the "/collections/{name}/snapshots/upload" endpoint, allowing for path traversal. By manipulating the name parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, potentially leading to a full takeover of the system. This vulnerability enables the writing and overwriting of arbitrary files on the server.

Recommendations: For qdrant/qdrant version 1.9.0-dev, update to version 1.9.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/collections/{name}/snapshots/upload" endpoint or disabling the ability to upload files through this endpoint until the update is applied. Avoid using the name parameter in the affected API endpoint until the issue is resolved.