Security Bulletin 2024-01-12-01
Abstract
Path traversal vulnerability bypassed folder-level role-based access control (RBAC).
CVSS Qualitative Rating
- High
- CVSSv3.1
- Score: 8.8
- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE-2024-23768
Affected Releases
- Dremio 24.0.0 through 24.3.0
- Dremio 23.0.0 through 23.2.3
- Dremio 22.0.0 through 22.2.2
Problem Description
In Affected Releases, an authenticated user who has no privileges on certain folders and the files and datasets in the folders can access the folders, files, and datasets by performing a path traversal attack. To be successful, the user must have access to the source and at least one folder in the source.
Resolution Actions
Upgrade to a Fixed Release that resolves the issue.
Fixed Releases
- Dremio 24.3.1 and above
- Dremio 23.2.4 and above
- Dremio 22.2.3 and above