Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN068

_____________________________________________________________________

DATE                : 05/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Doris versions prior to
                                      2.1.8, 3.0.3.

=====================================================================
https://lists.apache.org/thread/nzhoc1ott7vl3ot9zobz9p9qwzr4kp2r
_____________________________________________________________________

CVE-2024-48019: Apache Doris: allows admin users to read arbitrary
files through the REST API


Severity: LOW

Affected versions:

- Apache Doris 2.1.0 before 2.1.8
- Apache Doris 3.0.0 before 3.0.3


Description:

Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal'), Files or Directories Accessible to External
Parties vulnerability in Apache Doris.


Application administrators can read arbitrary
files from the server filesystem through path traversal.


Users are recommended to upgrade to version 2.1.8, 3.0.3 or later,
which fixes the issue.


Credit:

Man Yue Mo of the GitHub Security Lab team (finder)

References:

https://doris.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-48019


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================