CVE-2024-41672

Name of the Vulnerable Software and Affected Versions DuckDB versions 1.0.0 and prior

Description The issue is related to the sniff csv function in DuckDB, which allows access to the filesystem even when enable external access is set to false. This provides an attacker with unauthorized access to protected information. There are two vectors to this issue: access to files that should not be allowed and the ability to read content from files, such as /etc/hosts and proc/self/environ, which is not the intended use of the sniff csv function.

Recommendations For versions 1.0.0 and prior, consider disabling the local file system using the disabled filesystems setting to mitigate the issue. Specifically, set disabled filesystems='LocalFileSystem' to prevent access to the local file system. As a temporary workaround, consider disabling the sniff csv function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but a fix is expected to be part of version 1.1.0.