Session credential disclosure
Information
-
Advisory ID: DSA-2022-012
-
CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-
CVSS Base Score: 8.8 (High)
-
CWE classification: CWE-200
Summary
It was discovered that a user’s internal session credential was mistakenly written to a location that can be obtained by attackers who have access to the same project as the victim. This could lead to account takeover.
Affected Products
-
Dataiku DSS 9 and older versions
-
Dataiku DSS 10 before 10.0.9
-
Dataiku DSS 11 before 11.0.3
Fix
Dataiku DSS 10.0.9 and Dataiku DSS 11.0.3 have been made available to customers to remediate this issue