CVE-2024-23768
📋 TL;DR
This CVE describes an improper path traversal vulnerability in Dremio that allows authenticated users with limited folder access to bypass authorization controls and access restricted folders, files, and datasets. The vulnerability affects Dremio versions 22.0.0 through 24.3.0, requiring the user to have access to at least one folder in the source.
💻 Affected Systems
- Dremio
📦 What is this software?
Dremio by Dremio
Dremio by Dremio
Dremio by Dremio
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider or compromised account could access sensitive data in restricted folders, potentially exposing confidential information, intellectual property, or regulated data.
Likely Case
Users with legitimate access to some folders could inadvertently or intentionally access data in folders they shouldn't have permission to view, leading to data leakage and policy violations.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized users accessing data they shouldn't, which can be detected and remediated.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of folder paths. The vulnerability is in authorization logic rather than requiring complex manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.3.1 and later, 23.2.4 and later, 22.2.3 and later
Vendor Advisory: https://docs.dremio.com/current/reference/bulletins/2024-01-12-01
Restart Required: Yes
Instructions:
1. Backup your Dremio configuration and data. 2. Download the patched version from Dremio's official distribution channels. 3. Stop the Dremio service. 4. Install the updated version following Dremio's upgrade documentation. 5. Restart the Dremio service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict User Access
allTemporarily limit user access to only essential folders and implement stricter access controls while planning the upgrade.
🧯 If You Can't Patch
- Implement network segmentation to isolate Dremio instances from sensitive data sources
- Enhance monitoring and auditing of folder access patterns to detect unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Dremio version via web interface or command line. If version falls within affected ranges (22.0.0-22.2.2, 23.0.0-23.2.3, 24.0.0-24.3.0), the system is vulnerable.Check Version:
Check Dremio web interface under 'About' or run: dremio-admin versionVerify Fix Applied:
After patching, verify the version is 22.2.3+, 23.2.4+, or 24.3.1+. Test that authenticated users can no longer access folders they don't have explicit permissions for.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to restricted folders
- Multiple failed authorization attempts followed by successful access to unexpected paths
Network Indicators:
- Increased API calls to folder navigation endpoints from single users
SIEM Query:
source="dremio" AND (event_type="folder_access" OR event_type="authorization_failure") AND user NOT IN authorized_users