Home » Database

AVID-2026-R1488

Description

Path Traversal in qdrant/qdrant (CVE-2024-3584)

Details

qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the /collections/{name}/snapshots/upload endpoint. By manipulating the name parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as /root/poc.txt. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0.

Reason for inclusion in AVID: CVE-2024-3584 describes a path traversal vulnerability in qdrant/qdrant that allows arbitrary file write on the server, a critical security flaw in a software component commonly used to support AI pipelines (vector search/embedding storage). This is a software supply-chain-relevant issue affecting components used to build/deploy AI systems. The report provides explicit vulnerability details (unvalidated input, write to arbitrary path) and references a fix, satisfying criteria for AI-related, supply-chain, and security/vulnerability evidence.

References

Affected or Relevant Artifacts

  • Developer: qdrant
  • Deployer: qdrant
  • Artifact Details:
TypeName
Systemqdrant/qdrant

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score9.8
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-20CWE-20 Improper Input Validation

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-05-30
  • Version: 0.3.3
  • AVID Entry