Ability to tamper with creation and ownership metadata
Information
-
CVE Id: CVE-2020-8817
-
CVSS Base Score: 4.3
-
Severity: Medium
-
CWE classification: CWE-284
Summary
The “Created by” metadata displayed in the right column for most Dataiku object types (datasets, Wiki articles, dashboards, …) can be tampered with by users with write access to the project.
Although the audit trail and history log always reference the proper information, this allows hostile attackers to display misleading metadata information in the right column.
Affected Products
Dataiku DSS in versions before 6.0.5
Mitigation
Dataiku DSS 6.0.5 has been made available to customers to remediate this issue.
Credits
This vulnerability was discovered and reported by Fábio Freitas ( @0xfabiof ). Thanks!