Dremio Database Tool Allows Path Traversal Vulnerability – Update Your Software Now

CVECVE-2024-23768
CVSScvssV3_1: 8.8
SourceCVE-2024-23768

Dremio is a popular open source data lake engine and SQL query tool. Unfortunately, versions before 24.3.1 contain a path traversal vulnerability that allows unauthorized access to files and datasets.

The vulnerability stems from a lack of proper input validation when handling folder paths. An authenticated user, even without privileges to certain folders, could craft special characters or sequences in the folder name to access restricted areas within the Dremio file structure.

This gives attackers a way to view, modify or delete sensitive files and datasets they normally wouldn’t have access to. All they need is a valid login and knowledge of how to exploit the path traversal flaw.

Dremio has since released patches in versions 24.3.1, 23.2.4 and 22.2.3 that fix the issue. However, thousands of organizations may still have outdated installations vulnerable to attack.

If you use Dremio, be sure to immediately update to the latest version to close this security hole. Also check that your authentication and authorization controls are strong enough to limit damage from any internal actors. Staying on top of patches is critical for any software handling important business data.

References