Path Traversal Vulnerability in Apache Doris
CVE-2024-48019

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Doris
Vendor: CVE Published:; 4 February 2025

Summary

A vulnerability in Apache Doris allows application administrators to read arbitrary files from the server filesystem due to improper limitations on pathname access. This path traversal issue could be exploited by malicious users to access sensitive information that should remain restricted. To mitigate this risk, it is essential for users to upgrade to version 2.1.8, 3.0.3, or later, which addresses this vulnerability.

Affected Version(s)

Apache Doris 2.1.0 < 2.1.8

Apache Doris 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/p70klgmyrgknhn0t195261wvw...

vendor-advisory

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Oct 8, 2024

Credit

Man Yue Mo of the GitHub Security Lab team