Ability to tamper with creation and ownership metadata


  • CVE Id: CVE-2020-8817

  • CVSS Base Score: 4.3

  • Severity: Medium

  • CWE classification: CWE-284


The “Created by” metadata displayed in the right column for most Dataiku object types (datasets, Wiki articles, dashboards, …) can be tampered with by users with write access to the project.

Although the audit trail and history log always reference the proper information, this allows hostile attackers to display misleading metadata information in the right column.

Affected Products

Dataiku DSS in versions before 6.0.5


Dataiku DSS 6.0.5 has been made available to customers to remediate this issue.


This vulnerability was discovered and reported by Fábio Freitas (@0xfabiof). Thanks!