CVE-2024-48019

Published: Feb 4, 2025Modified: Jun 9, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.

Affected (2)

Products: Apache: Doris

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Doris	From 2.1.0 to 2.1.8
Apache Doris	From 3.0.0 to 3.0.3

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (2)

https://lists.apache.org/thread/p70klgmyrgknhn0t195261wvwv5jw6hr

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/02/04/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.