Credentials disclosure through path traversal

Information

  • Advisory ID: DSA-2022-016

  • CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  • CVSS Base Score: 8.8 (High)

  • CWE classification: CWE-23

Summary

It was discovered that a path traversal issue could lead to the disclosure of sensitive information in the Dataiku configuration folder, including credentials.

Affected Products

  • Dataiku DSS 9 and older versions

  • Dataiku DSS 10 before 10.0.9

  • Dataiku DSS 11 before 11.0.3

Fix

Dataiku DSS 10.0.9 and Dataiku DSS 11.0.3 have been made available to customers to remediate this issue