Version: 24.3.x

Security Bulletins

Dremio publishes security bulletins that disclose vulnerabilities found in our supported products to inform customers about risks that may be present in their production environments.

Security bulletins are usually published when fixes are available in the affected products. In some cases, we may disclose a vulnerability before the fix is available.

Security bulletins include the following information:

Type
Qualitative rating as determined by CVSSv3.1 analysis
Issue description
Issue impact
Available mitigations or fixes

Bulletin	Type	CVSS Rating	Subject	Description
2024-02-07-01	Vulnerability	Medium	Security Update	The COPY INTO command does not verify users' SELECT privileges.
2024-01-12-01	Vulnerability	High	Security Update	Path traversal vulnerability bypassed folder-level role-based access control (RBAC).
2024-01-09-01	Vulnerability	High	Security Update	The Dremio-to-Dremio connector does not fully validate table-level access in certain cases.
2023-07-22-03	Vulnerability	Medium	Security Update	Potential unintended user access to restricted data as a result of previously cached view.
2023-07-22-02	Vulnerability	Medium	Security Update	Potential unintended user access to restricted data as a result of accelerated DML operation.
2023-07-22-01	Vulnerability	Medium	Security Update	Potential unintended user access to restricted data as a result of previously-executed cached plans.