AVID-2026-R1423

Description

Path Traversal and Arbitrary File Upload Vulnerability in qdrant/qdrant (CVE-2024-2221)

Details

qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the /collections/{COLLECTION}/snapshots/upload endpoint, specifically through the snapshot parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to potential remote code execution. This issue affects the integrity and availability of the system, enabling unauthorized access and potentially causing the server to malfunction.

Reason for inclusion in AVID: CVE-2024-2221 describes a path traversal and arbitrary file upload vulnerability in qdrant/qdrant, enabling potential remote code execution. qdrant is a vector database commonly used in AI pipelines, making this a software component in AI systems and their deployment stack. It is a software supply chain issue affecting AI runtimes/deployments. The report provides explicit vulnerability details (endpoint, snapshot parameter, CWE-434, CVSS 3.0 metrics), establishing a clear security risk. Therefore, it satisfies AI relevance, supply-chain relevance, security risk, and sufficiency of evidence.

References

• NVD entry
• https://huntr.com/bounties/6be8d4e3-67e6-4660-a8db-04215a1cff3e
• https://github.com/qdrant/qdrant/commit/e6411907f0ecf3c2f8ba44ab704b9e4597d9705d

Affected or Relevant Artifacts

• Developer: qdrant
• Deployer: qdrant
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-10
• Version: 0.3.3
• AVID Entry