Skip to main content
Version: current [25.x]

Security Bulletin 2024-02-07-01

Abstract

The COPY INTO command does not verify users' SELECT privileges.

CVSS Qualitative Rating

Affected Releases

  • Dremio 24.0.0 through 24.3.2

Problem Description

In Affected Releases, an authenticated user who does not have the SELECT privilege on certain files/datasets can access those files/datasets by using the COPY INTO command. The user can copy the file/dataset to a new table and access the data there.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

  • Dremio 24.3.3 and above