Skip to main content

Version: current [25.0.x]

Security Bulletin 2024-02-07-01

Abstract

The COPY INTO command does not verify users' SELECT privileges.

CVSS Qualitative Rating

Medium
CVSSv3.1
- Score: 6.5
- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Releases

Dremio 24.0.0 through 24.3.2

Problem Description

In Affected Releases, an authenticated user who does not have the SELECT privilege on certain files/datasets can access those files/datasets by using the COPY INTO command. The user can copy the file/dataset to a new table and access the data there.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

Dremio 24.3.3 and above

Abstract
CVSS Qualitative Rating
Affected Releases
Problem Description
Resolution Actions
Fixed Releases