CVSS: 6.5EPSS: 14%CPEs: 4EXPL: 1CVE-2024-24565 – CrateDB database has an arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-24565
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1. CrateDB es una base de datos SQL distribuida que simplifica el almacenamiento y análisis de cantidades masivas de datos en tiempo real. • https://github.com/crate/crate/commit/4e857d675683095945dd524d6ba03e692c70ecd6 https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-51982
https://notcve.org/view.php?id=CVE-2023-51982
CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231) CrateDB 5.5.1 contiene una vulnerabilidad de omisión de autenticación en el componente de la interfaz de usuario de administración. Después de configurar la autenticación de contraseña y_ Local_ En el caso de una dirección, la autenticación de identidad se puede omitir configurando el encabezado de solicitud de IP de X-Real en un valor específico y accediendo a la interfaz de usuario del administrador directamente utilizando la identidad de usuario predeterminada. (https://github. es/crate/crate/issues/15231) • https://github.com/crate/crate/issues/15231 • CWE-287: Improper Authentication •