Doris
CVE-2024-48019
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris.
Application administrators can read arbitrary files from the server filesystem through path traversal.
Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.
AnalysisAI
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue. Affected products include: Apache Doris. Version information: version 2.1.8.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnera
Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker w
The api /api/snapshot and /api/get_log_file would allow unauthenticated access. Rated high severity (CVSS 8.2), this vul
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lea
Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attac
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today