Description

DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. There seem to be two vectors to this vulnerability. First, access to files that should otherwise not be allowed. Second, the content from a file can be read (e.g. `/etc/hosts`, `proc/self/environ`, etc) even though that doesn't seem to be the intent of the sniff_csv function. A fix for this issue is available in commit c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a and is expected to be part of version 1.1.0.

INFO

Published Date :

2024-07-24T17:47:20.626Z

Last Modified :

2024-08-02T04:46:52.916Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-41672 vulnerability.

Vendors Products
Duckdb
  • Duckdb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-41672.

URL Resource
https://github.com/duckdb/duckdb/commit/c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a cve-icon cve-icon cve-icon
https://github.com/duckdb/duckdb/pull/13133 cve-icon cve-icon cve-icon
https://github.com/duckdb/duckdb/security/advisories/GHSA-w2gf-jxc9-pf2q cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact