cbcvebase.
CVE-2024-24565
published 2024-01-30

CVE-2024-24565: CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the…

PriorityP347medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
3.08%
86.1th percentile
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.

Affected

8 ranges
VendorProductVersion rangeFixed in
cratecrate< 5.3.95.3.9
cratecrate
cratecrate
cratecrate
cratedbcratedb< 5.3.95.3.9
cratedbcratedb>= 5.4.0 < 5.4.85.4.8
cratedbcratedb>= 5.5.0 < 5.5.45.5.4
cratedbcratedb>= 5.6.0 < 5.6.15.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/_sql?types
commandCREATE TABLE <tablename>(info_leak STRING)
commandCOPY <tablename> FROM '/etc/passwd' with (format='csv', header=false)
commandSELECT * FROM <tablename> limit 100
path/etc/passwd
yara
regex('root:.*:0:0:', body_3)
  • Detect exploitation attempts by monitoring POST requests to the CrateDB SQL endpoint '/_sql?types' containing the COPY FROM SQL statement referencing local filesystem paths (e.g., '/etc/passwd').
  • Successful exploitation is confirmed when the HTTP response body to a SELECT query against the created table matches the regex 'root:.*:0:0:', indicating /etc/passwd content was imported.
  • A full exploit chain consists of three sequential POST requests to /_sql?types: (1) CREATE TABLE with a STRING column, (2) COPY FROM a local file path, (3) SELECT * to exfiltrate the file contents. Monitor for this pattern.
  • FOFA/Shodan fingerprint for exposed CrateDB instances: search for title="CrateDB" to identify potentially vulnerable internet-facing nodes.
  • Content-Type header 'application/json; charset=UTF-8' is used in all exploit requests to the CrateDB SQL API endpoint.
  • ·Exploitation requires authentication — the attacker must have valid credentials to the CrateDB instance before issuing COPY FROM SQL statements.
  • ·The vulnerability is patched in CrateDB versions 5.3.9, 5.4.8, 5.5.4, and 5.6.1. Detection rules should be scoped to instances running versions prior to these fixes.
  • ·The COPY FROM exploit uses the 'csv' format with 'header=false' option to bypass any header-row validation when importing arbitrary files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.