Incorrect access control allows users to edit discussions

Information

• CVE Id: CVE-2020-25822

• CVSS 3.0 Score: 4.3

• Severity: Medium

• CWE classification: CWE-273 - Incorrect Access Control

• CVSS 3.0 string: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

The discussions feature allows users to edit their own posts. Insufficient access control on the API endpoint used to edit posts allows other users (who have permission to comment and modify their posts) to modify posts of other users.

Affected Products

Dataiku DSS in versions before 8.0.2

Credits

This vulnerability was discovered by cobalt.io

Mitigation

Dataiku DSS 8.0.2 has been made available to customers to remediate this issue