Skip to main content

Version: 24.3.x

Security Bulletin 2023-07-22-03

Abstract

Potential unintended user access to restricted data as a result of previously cached view.

CVSS Qualitative Rating

Medium
CVSSv3.1
- Score: 6.5
- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Releases

Dremio 24.0.0 through 24.0.x
Dremio 23.0.0 through 23.1.x
Dremio 22.0.0 through 22.1.x
Dremio 21.0.0 through 21.7.x
Dremio 20.0.0 through 20.8.x
Dremio 19.0.0 through 19.11.x

Problem Description

In Affected Releases, user context was not validated when a user was querying a view generated from an underlying restricted table. It was only possible in cases where a user was given access to a table which was restricted later.

In Fixed Releases, permissions are validated in the caching catalog.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

Dremio 24.1.0 and above
Dremio 23.2.0 and above
Dremio 22.2.0 and above
Dremio 21.8.1 and above
Dremio 20.9.0 and above
Dremio 19.12.0 and above

Abstract
CVSS Qualitative Rating
Affected Releases
Problem Description
Resolution Actions
Fixed Releases