Response to CVE-2024-3829: Arbitrary file upload vulnerability
Mac Chaffee
·June 10, 2024
Summary
A security vulnerability has been discovered in Qdrant affecting all versions prior to v1.9, described in CVE-2024-3829. The vulnerability allows an attacker to upload arbitrary files to the filesystem, which can be used to gain remote code execution. This is a different but similar vulnerability to CVE-2024-2221, announced in April 2024.
The vulnerability does not materially affect Qdrant cloud deployments, as that filesystem is read-only and authentication is enabled by default. At worst, the vulnerability could be used by an authenticated user to crash a cluster, which is already possible, such as by uploading more vectors than can fit in RAM.
Qdrant has addressed the vulnerability in v1.9.0 and above with code that restricts file uploads to a folder dedicated to that purpose.
Action
Check the current version of your Qdrant deployment. Upgrade if your deployment is not at least v1.9.0.
To confirm the version of your Qdrant deployment in the cloud or on your local or cloud system, run an API GET call, as described in the Qdrant Quickstart guide. If your Qdrant deployment is local, you do not need an API key.
Your next step depends on how you installed Qdrant. For details, read the Qdrant Installation guide.
If you use the Qdrant container or binary
Upgrade your deployment. Run the commands in the applicable section of the Qdrant Installation guide. The default commands automatically pull the latest version of Qdrant.
If you use the Qdrant helm chart
If you’ve set up Qdrant on kubernetes using a helm chart, follow the README in the qdrant-helm repository. Make sure applicable configuration files point to version v1.9.0 or above.
If you use the Qdrant cloud
No action is required. This vulnerability does not materially affect you. However, we suggest that you upgrade your cloud deployment to the latest version.