Insufficient access control on active web content via static insights

Information

• Advisory ID: DSA-2023-006

• CVSS Base Score: 7.3

• CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

• Severity: High

• CWE classification: CWE-269

Summary

It was discovered that a user who has privilege to write code but not privilege to write active web content could still cause active web content to be displayed to other users through the usage of static insights.

Affected Products

• Dataiku DSS before 12.1.1

Fix

Dataiku DSS 12.1.1 has been made available to customers to remediate this issue