Incorrect access control in Jupyter notebooks

Information

• CVE Id: CVE-2021-27225

• CVSS Base Score: 5.4

• Severity: Medium

• CWE classification: CWE-284

Credits

Dataiku would like to thank Xiejingwei Fei (jack dot fei at finra dot org) for discovering and reporting this vulnerability.

Summary

In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.

In order to exploit the vulnerability, the attacker must have coding permissions in Dataiku DSS and write access to a project, and must send specially-crafted HTTP queries.

Affected Products

Dataiku DSS in versions before 8.0.6

Mitigation

Dataiku DSS 8.0.6 has been made available to customers to remediate this issue