CVE-2024-23768

HIGH

Dremio 22.0.0-22.2.2 23.0.0-23.2.3 24.0.0-24.3.0 - Authenticated Path Traversal

Title source: llm

Description

Dremio before 24.3.1 allows path traversal. An authenticated user who has no privileges on certain folders (and the files and datasets in these folders) can access these folders, files, and datasets. To be successful, the user must have access to the source and at least one folder in the source. Affected versions are: 24.0.0 through 24.3.0, 23.0.0 through 23.2.3, and 22.0.0 through 22.2.2. Fixed versions are: 24.3.1 and later, 23.2.4 and later, and 22.2.3 and later.

References (1)

Core 1

Core References

Vendor Advisory

https://docs.dremio.com/current/reference/bulletins/2024-01-12-01

Scores

CVSS v3 8.8

EPSS 0.0064

EPSS Percentile 46.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

dremio/dremio 22.0.0 - 22.2.3

Published Jan 22, 2024

Tracked Since Feb 18, 2026