Skip to main content
Version: current [25.x]

Security Bulletin 2024-01-12-01

Abstract

Path traversal vulnerability bypassed folder-level role-based access control (RBAC).

CVSS Qualitative Rating

Affected Releases

  • Dremio 24.0.0 through 24.3.0
  • Dremio 23.0.0 through 23.2.3
  • Dremio 22.0.0 through 22.2.2

Problem Description

In Affected Releases, an authenticated user who has no privileges on certain folders and the files and datasets in the folders can access the folders, files, and datasets by performing a path traversal attack. To be successful, the user must have access to the source and at least one folder in the source.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

  • Dremio 24.3.1 and above
  • Dremio 23.2.4 and above
  • Dremio 22.2.3 and above