Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <cad0f5b0-fc9e-21be-a219-040b9d53d64b@apache.org>
Date: Tue, 04 Feb 2025 14:35:42 +0000
From: Mingyu Chen <morningman@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-48019: Apache Doris: allows admin users to read arbitrary
 files through the REST API 

Severity: LOW

Affected versions:

- Apache Doris 2.1.0 before 2.1.8
- Apache Doris 3.0.0 before 3.0.3

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris.


Application administrators can read arbitrary
files from the server filesystem through path traversal.


Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.

Credit:

Man Yue Mo of the GitHub Security Lab team (finder)

References:

https://doris.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-48019

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.