CVE-2024-24565: 
Java vulnerability analysis and mitigation

CVE-2024-24565 is a security vulnerability discovered in CrateDB database's COPY FROM function, which is used to import file data into database tables. The vulnerability was disclosed on January 30, 2024, affecting CrateDB versions <=5.3.8, <=5.4.7, <=5.5.3, and 5.6.0. This flaw allows authenticated database users to read any file on the system that the CrateDB process has access to (GitHub Advisory).

The vulnerability exists in the COPY FROM function of CrateDB, which allows authenticated users to import file content into database tables. The flaw enables attackers to read arbitrary files on the host system by specifying file URIs in the COPY FROM command. The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, and high impact on confidentiality (GitHub Advisory).

The vulnerability allows authenticated attackers to read sensitive system files and obtain confidential information that could be used for further attacks. This affects both standalone CrateDB installations and CrateDB Cloud Clusters. The impact is primarily on data confidentiality, with no direct effect on system integrity or availability (GitHub Advisory).

The vulnerability has been patched in versions 5.3.9, 5.4.8, 5.5.4, and 5.6.1. The fix restricts the file:// scheme usage in COPY FROM commands to the 'crate' superuser only, preventing regular users from accessing local files through this function (GitHub Commit).