Ability to tamper with creation and ownership metadata¶
- CVE Id: CVE-2020-8817
- CVSS Base Score: 4.3
- Severity: Medium
- CWE classification: CWE-284
The “Created by” metadata displayed in the right column for most Dataiku object types (datasets, Wiki articles, dashboards, …) can be tampered with by users with write access to the project.
Although the audit trail and history log always reference the proper information, this allows hostile attackers to display misleading metadata information in the right column.
Dataiku DSS in versions before 6.0.5
Dataiku DSS 6.0.5 has been made available to customers to remediate this issue.