Incorrect access control in Jupyter notebooks¶
Information¶
CVE Id: CVE-2021-27225
CVSS Base Score: 5.4
Severity: Medium
CWE classification: CWE-284
Credits¶
Dataiku would like to thank Xiejingwei Fei (jack dot fei at finra dot org) for discovering and reporting this vulnerability.
Summary¶
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
In order to exploit the vulnerability, the attacker must have coding permissions in Dataiku DSS and write access to a project, and must send specially-crafted HTTP queries.
Affected Products¶
Dataiku DSS in versions before 8.0.6
Mitigation¶
Dataiku DSS 8.0.6 has been made available to customers to remediate this issue