Login Sign Up

CVE-2024-3584

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2024-3584 is a path traversal vulnerability in qdrant/qdrant version 1.9.0-dev that allows attackers to write arbitrary files to any location on the server by manipulating the 'name' parameter in the /collections/{name}/snapshots/upload endpoint. This can lead to complete system compromise through file overwrites. Only users running the vulnerable development version 1.9.0-dev are affected.

💻 Affected Systems

Products:
  • qdrant/qdrant
Versions: 1.9.0-dev only
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the development version 1.9.0-dev; production versions are not vulnerable.

📦 What is this software?

Qdrant by Qdrant

View all CVEs affecting Qdrant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system takeover via arbitrary file write leading to remote code execution, privilege escalation, or service disruption.

🟠

Likely Case

Arbitrary file creation/overwrite leading to data corruption, denial of service, or initial foothold for further attacks.

🟢

If Mitigated

Limited impact if proper file permissions, sandboxing, and network controls prevent exploitation.

🌐 Internet-Facing: HIGH - Exploitable remotely via HTTP request without authentication.
🏢 Internal Only: HIGH - Even internal attackers can exploit this to compromise the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation with URL encoding required; exploit details available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0

Vendor Advisory: https://github.com/qdrant/qdrant/commit/15479a45ffa3b955485ae516696f7e933a8cce8a

Restart Required: Yes

Instructions:

1. Stop qdrant service. 2. Update to version 1.9.0 or later. 3. Restart qdrant service.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Block access to /collections/{name}/snapshots/upload endpoint via firewall or web server configuration.

iptables -A INPUT -p tcp --dport 6333 -m string --string "/collections/" --algo bm -j DROP

Restrict file permissions

linux

Run qdrant with minimal privileges and restrict write access to sensitive directories.

chmod -R 755 /var/lib/qdrant
chown -R qdrant:qdrant /var/lib/qdrant

🧯 If You Can't Patch

  • Deploy network-level controls to restrict access to qdrant service only to trusted sources.
  • Implement application-level input validation to sanitize the 'name' parameter before processing.

🔍 How to Verify

Check if Vulnerable:

Check if running qdrant version 1.9.0-dev via version command or configuration files.

Check Version:

curl -s http://localhost:6333 | grep version

Verify Fix Applied:

Confirm version is 1.9.0 or later and test endpoint with malicious payloads to ensure rejection.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /collections/*/snapshots/upload with URL-encoded path traversal sequences (e.g., %2e%2e%2f)

Network Indicators:

  • Unusual file write patterns or unexpected outbound connections from qdrant process

SIEM Query:

source="qdrant.log" AND uri="/collections/*/snapshots/upload" AND (uri CONTAINS "%2e%2e" OR uri CONTAINS "%2f")

📊 Metadata

CVE ID: CVE-2024-3584
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-20
Published: May 30, 2024
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3584, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)