Ability to tamper with creation and ownership metadata¶
Information¶
CVE Id: CVE-2020-8817
CVSS Base Score: 4.3
Severity: Medium
CWE classification: CWE-284
Summary¶
The “Created by” metadata displayed in the right column for most Dataiku object types (datasets, Wiki articles, dashboards, …) can be tampered with by users with write access to the project.
Although the audit trail and history log always reference the proper information, this allows hostile attackers to display misleading metadata information in the right column.
Affected Products¶
Dataiku DSS in versions before 6.0.5
Mitigation¶
Dataiku DSS 6.0.5 has been made available to customers to remediate this issue.
Credits¶
This vulnerability was discovered and reported by Fábio Freitas (@0xfabiof). Thanks!