Skip to main content
Version: current [25.x]

Security Bulletin 2024-01-09-01

Abstract

The Dremio-to-Dremio connector does not fully validate table-level access in certain cases.

CVSS Qualitative Rating

Affected Releases

  • Dremio 24.0.0 through 24.1.1
  • Dremio 23.1.0 through 23.2.3

Problem Description

In Affected Releases, the Dremio-to-Dremio connector does not fully validate table-level permission when user impersonation is enabled in the Dremio-to-Dremio source configuration and queries are accelerated.

The Dremio-to-Dremio connector was introduced in version 23.1.0. The issue does not affect any prior versions.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

If you are unable to upgrade to a Fixed Release, set userImpersonation to false in the advanced options for the Dremio-to-Dremio source configuration until you can upgrade.

Fixed Releases

  • Dremio 24.1.2 and above
  • Dremio 23.2.4 and above