Security Bulletin 2025-04-21-01

Abstract​

An authenticated API endpoint allows arbitrary file deletion.

CVSS Qualitative Rating​

• High
• CVSSv4.0
  • Score: 8.4
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:H
• CVE-2025-2298

Affected Releases​

• Dremio 24.3.0 through 24.3.16
• Dremio 25.0.0 through 25.0.14
• Dremio 25.1.0 through 25.1.7
• Dremio 25.2.0 through 25.2.4

Problem Description​

In Affected Releases, an improper authorization vulnerability in Dremio allows authenticated users to delete arbitrary files that the system can access, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files.

Resolution Actions​

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases​

• Dremio 24.3.17 and above
• Dremio 25.0.15 and above
• Dremio 25.1.8 and above
• Dremio 25.2.5 and above
• Dremio 26.0.0 and above