[EXASOL-2904] Privilege escalation vulnerability for adapter-based row-level security Created: 07.06.2021  Updated: 07.06.2021  Resolved: 07.06.2021

Status: Resolved
Project: EXASOL Roadmap
Component/s: None
Affects Version/s: Exasol 6.2.0
Fix Version/s: Exasol 6.2.15

Type: Bug Priority: Normal
Reporter: Captain EXASOL Assignee: Captain EXASOL
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocking

 Description   

Vulnerability

Classification: Medium

We identified a privilege escalation vulnerability with adapter-based row-level security plugins that rely on extending filter conditions (e.g. https://github.com/exasol/row-level-security). An attacker can circumvent any rule that is defined to limit the number of visible rows.

This only affects Exasol version 6.2. Later versions, e.g. 7.0, are not affected.

Remediation

Exasol 6.2 users that use such row-level security plugins should upgrade to Exasol version 6.2.15.


Generated at Sun Oct 17 08:13:58 CEST 2021 using Jira 7.13.18#713018-sha1:e1230154f8ff8cc9272975bf568fc732e806fd68.