Path Traversal Vulnerability in Apache Doris
CVE-2024-48019

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Doris
Vendor: CVE Published:; 4 February 2025

Summary

A vulnerability in Apache Doris allows application administrators to read arbitrary files from the server filesystem due to improper limitations on pathname access. This path traversal issue could be exploited by malicious users to access sensitive information that should remain restricted. To mitigate this risk, it is essential for users to upgrade to version 2.1.8, 3.0.3, or later, which addresses this vulnerability.

Affected Version(s)

Apache Doris 2.1.0 < 2.1.8

Apache Doris 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/p70klgmyrgknhn0t195261wvw...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Oct 8, 2024

Credit

Man Yue Mo of the GitHub Security Lab team