Improper Limitation of a Pathname to a Restricted Directory

Information

• Advisory ID: DSA-2026-001

• CVSS Base Score: 6.5

• CVSS String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

• Severity: Medium

• CWE classification: CWE-22

Summary

In Dataiku DSS before 14.3.2, when granting the Personal Connections right to some users, a user could leverage the Private Key parameter of a Snowflake or GCP connection to read the content of a file.

Affected Products

• Dataiku DSS before 14.3.2

Fix

Dataiku 14.3.2 has been made available to customers to remediate this issue. From this version, keys can be restricted to a list of paths/globs configured by adminstrators.