Skip to main content
Version: 24.3.x

Security Bulletin 2023-07-22-03

Abstract

Potential unintended user access to restricted data as a result of previously cached view.

CVSS Qualitative Rating

Affected Releases

  • Dremio 24.0.0 through 24.0.x
  • Dremio 23.0.0 through 23.1.x
  • Dremio 22.0.0 through 22.1.x
  • Dremio 21.0.0 through 21.7.x
  • Dremio 20.0.0 through 20.8.x
  • Dremio 19.0.0 through 19.11.x

Problem Description

In Affected Releases, user context was not validated when a user was querying a view generated from an underlying restricted table. It was only possible in cases where a user was given access to a table which was restricted later.

In Fixed Releases, permissions are validated in the caching catalog.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

  • Dremio 24.1.0 and above
  • Dremio 23.2.0 and above
  • Dremio 22.2.0 and above
  • Dremio 21.8.1 and above
  • Dremio 20.9.0 and above
  • Dremio 19.12.0 and above