Version: 24.3.x

Security Bulletin 2024-01-09-01

Abstract

The Dremio-to-Dremio connector does not fully validate table-level access in certain cases.

CVSS Qualitative Rating

High
CVSSv3.1
- Score: 7.1
- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Affected Releases

Dremio 24.0.0 through 24.1.1
Dremio 23.1.0 through 23.2.3

Problem Description

In Affected Releases, the Dremio-to-Dremio connector does not fully validate table-level permission when user impersonation is enabled in the Dremio-to-Dremio source configuration and queries are accelerated.

The Dremio-to-Dremio connector was introduced in version 23.1.0. The issue does not affect any prior versions.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

If you are unable to upgrade to a Fixed Release, set userImpersonation to false in the advanced options for the Dremio-to-Dremio source configuration until you can upgrade.

Fixed Releases

Dremio 24.1.2 and above
Dremio 23.2.4 and above

Abstract​

CVSS Qualitative Rating​

Affected Releases​

Problem Description​

Resolution Actions​

Fixed Releases​