CVE-2024-3078 Overview
A critical path traversal vulnerability has been identified in Qdrant, an open-source vector similarity search engine, affecting versions up to 1.6.1, 1.7.4, and 1.8.2. This vulnerability exists in the file lib/collection/src/collection/snapshots.rs within the Full Snapshot REST API component. The flaw allows attackers to manipulate file paths to access arbitrary files on the server, potentially leading to unauthorized data access, information disclosure, or system compromise.
Critical Impact
This path traversal vulnerability in Qdrant's snapshot functionality allows unauthenticated remote attackers to access sensitive files outside the intended directory, potentially compromising the entire system hosting the vector database.
Affected Products
- Qdrant versions up to and including 1.6.1
- Qdrant versions up to and including 1.7.4
- Qdrant versions up to and including 1.8.2
Discovery Timeline
- 2024-03-29 - CVE-2024-3078 published to NVD
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2024-3078
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw resides in the Full Snapshot REST API component of Qdrant, specifically in how the application processes user-supplied input when handling snapshot operations.
The vulnerable code in lib/collection/src/collection/snapshots.rs fails to properly sanitize file path inputs, allowing an attacker to craft malicious requests containing directory traversal sequences such as ../ to escape the intended snapshot directory. This enables access to arbitrary files on the underlying file system with the privileges of the Qdrant process.
Given that Qdrant is often deployed in data-sensitive environments for vector similarity search operations, successful exploitation could expose configuration files, database contents, credentials, or other sensitive information stored on the host system.
Root Cause
The root cause of this vulnerability is insufficient input validation and path canonicalization in the snapshot handling functionality. The application fails to properly normalize and validate user-controlled path components before using them in file system operations. Without adequate checks to ensure the resolved path remains within the intended snapshot directory, attackers can traverse outside the restricted directory structure.
Attack Vector
This vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can send specially crafted HTTP requests to the Full Snapshot REST API endpoint containing path traversal sequences in the snapshot name or path parameters.
The attack leverages the application's failure to sanitize directory traversal characters, allowing the attacker to:
- Identify the Full Snapshot REST API endpoint
- Craft a malicious request with path traversal sequences (e.g., ../../etc/passwd)
- Submit the request to read arbitrary files from the server
- Potentially write to arbitrary locations depending on the specific functionality exposed
For detailed technical information about the vulnerability and the fix implemented, see the GitHub Pull Request Discussion and GitHub Commit Changes.
Detection Methods for CVE-2024-3078
Indicators of Compromise
- HTTP requests to snapshot API endpoints containing ../ or encoded variants (%2e%2e%2f, ..%2f, %2e%2e/)
- Unusual access patterns to the Qdrant REST API, particularly snapshot-related endpoints
- Log entries showing access attempts to files outside the normal snapshot directory structure
- Unexpected file read operations in system monitoring tools from the Qdrant process
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Configure intrusion detection systems (IDS) to alert on requests containing directory traversal sequences targeting Qdrant endpoints
- Review Qdrant access logs for suspicious requests with encoded or decoded traversal characters
- Deploy file integrity monitoring on sensitive directories to detect unauthorized access attempts
Monitoring Recommendations
- Enable detailed logging for all Qdrant REST API requests, particularly those involving snapshot operations
- Monitor network traffic for anomalous request patterns to the Qdrant service
- Set up alerts for any file access operations outside the designated snapshot directories
- Implement application-level monitoring to track file system operations performed by the Qdrant process
How to Mitigate CVE-2024-3078
Immediate Actions Required
- Upgrade Qdrant to version 1.8.3 or later immediately to address this vulnerability
- If immediate upgrade is not possible, restrict network access to the Qdrant REST API to trusted sources only
- Implement network segmentation to limit exposure of the Qdrant service
- Review access logs for any signs of prior exploitation attempts
Patch Information
Qdrant has released version 1.8.3 which addresses this vulnerability. The fix is contained in commit 3ab5172e9c8f14fa1f7b24e7147eac74e2412b62. The patch implements proper path validation and canonicalization to prevent directory traversal attacks.
Recommended Action: Upgrade to Qdrant version 1.8.3 or later. For detailed patch information, see the GitHub Release v1.8.3.
Workarounds
- Deploy a reverse proxy or WAF in front of Qdrant to filter requests containing path traversal patterns
- Restrict access to the Full Snapshot REST API endpoints through network-level controls (firewall rules, ACLs)
- Run Qdrant in a containerized environment with minimal file system access and read-only mounts where possible
- Implement strict API access controls limiting snapshot operations to authenticated and authorized users only
# Example: Restrict Qdrant network access using iptables
# Allow only trusted IP addresses to access Qdrant API port (default 6333)
iptables -A INPUT -p tcp --dport 6333 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 6333 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
