Response to CVE-2024-2221: Arbitrary file upload vulnerability
Mike Jang
·April 05, 2024
On this page:
Summary
A security vulnerability has been discovered in Qdrant affecting all versions prior to v1.9, described in CVE-2024-2221. The vulnerability allows an attacker to upload arbitrary files to the filesystem, which can be used to gain remote code execution.
The vulnerability does not materially affect Qdrant cloud deployments, as that filesystem is read-only and authentication is enabled by default. At worst, the vulnerability could be used by an authenticated user to crash a cluster, which is already possible, such as by uploading more vectors than can fit in RAM.
Qdrant has addressed the vulnerability in v1.9.0 and above with code that restricts file uploads to a folder dedicated to that purpose.
Action
Check the current version of your Qdrant deployment. Upgrade if your deployment is not at least v1.9.0.
To confirm the version of your Qdrant deployment in the cloud or on your local or cloud system, run an API GET call, as described in the Qdrant Cloud Setup guide. If your Qdrant deployment is local, you do not need an API key.
Your next step depends on how you installed Qdrant. For details, read the Qdrant Installation guide.
If you use the Qdrant container or binary
Upgrade your deployment. Run the commands in the applicable section of the Qdrant Installation guide. The default commands automatically pull the latest version of Qdrant.
If you use the Qdrant helm chart
If you’ve set up Qdrant on kubernetes using a helm chart, follow the README in the qdrant-helm repository. Make sure applicable configuration files point to version v1.9.0 or above.
If you use the Qdrant cloud
No action is required. This vulnerability does not materially affect you. However, we suggest that you upgrade your cloud deployment to the latest version.
Note: This article has been updated on 2024-05-10 to encourage users to upgrade to 1.9.0 to ensure protection from both CVE-2024-2221 and CVE-2024-3829.