Ability to tamper with creation and ownership metadata

Information

  • CVE Id: CVE-2020-8817
  • CVSS Base Score: 4.3
  • Severity: Medium
  • CWE classification: CWE-284

Summary

The “Created by” metadata displayed in the right column for most Dataiku object types (datasets, Wiki articles, dashboards, …) can be tampered with by users with write access to the project.

Although the audit trail and history log always reference the proper information, this allows hostile attackers to display misleading metadata information in the right column.

Affected Products

Dataiku DSS in versions before 6.0.5

Mitigation

Dataiku DSS 6.0.5 has been made available to customers to remediate this issue.

Credits

This vulnerability was discovered and reported by Fábio Freitas (@0xfabiof). Thanks!