Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: EXASolution 5.0.0, EXASOL 6.0.0, Exasol 6.1.0, Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
-
Fix Version/s: Exasol 7.1.0, Exasol 6.2.15, Exasol 7.0.10, Exasol 7.1.rc1
-
Component/s: None
-
Labels:None
Description
Vulnerability
Classification: Critical
A logged-in database user having the system privilege CREATE SCRIPT or CREATE ANY SCRIPT could possibly escape the sandboxed UDF execution and gain access to the host machine running the database.
Prerequisites
- User has login access to the database (valid credentials and CREATE SESSION system privilege).
- User has at least one of the system privileges CREATE SCRIPT and CREATE ANY SCRIPT.
Workaround
We recommend to review already granted system privileges CREATE SCRIPT and CREATE ANY SCRIPT and reduce them only to a necessary level.
Fix
The vulnerability was fixed and users are advised to update to Exasol 6.2.15, 7.0.10, or 7.1.0.