Dremio Software up to 24.3.17/25.0.15/25.1.7/25.2.4 on Linux API Endpoint authorization
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Dremio Software up to 24.3.17/25.0.15/25.1.7/25.2.4 on Linux. Affected by this vulnerability is an unknown functionality of the component API Endpoint. The manipulation leads to authorization. This vulnerability is traded as CVE-2025-2298. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability was found in Dremio Software up to 24.3.17/25.0.15/25.1.7/25.2.4 on Linux and classified as problematic. This issue affects an unknown functionality of the component API Endpoint. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Impacted is integrity, and availability. The summary by CVE is:
An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files. Affected versions: * Any version of Dremio below 24.0.0 * Dremio 24.3.0 - 24.3.16 * Dremio 25.0.0 - 25.0.14 * Dremio 25.1.0 - 25.1.7 * Dremio 25.2.0 - 25.2.4 Fixed in version: * Dremio 24.3.17 and above * Dremio 25.0.15 and above * Dremio 25.1.8 and above * Dremio 25.2.5 and above * Dremio 26.0.0 and above
The weakness was shared by Marc Olivier Bergeron. The advisory is shared at docs.dremio.com. The identification of this vulnerability is CVE-2025-2298 since 03/13/2025. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available.
Upgrading to version 26.0.0 eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
Version
- 24.3.0
- 24.3.1
- 24.3.2
- 24.3.3
- 24.3.4
- 24.3.5
- 24.3.6
- 24.3.7
- 24.3.8
- 24.3.9
- 24.3.10
- 24.3.11
- 24.3.12
- 24.3.13
- 24.3.14
- 24.3.15
- 24.3.16
- 24.3.17
- 25.0.0
- 25.0.1
- 25.0.2
- 25.0.3
- 25.0.4
- 25.0.5
- 25.0.6
- 25.0.7
- 25.0.8
- 25.0.9
- 25.0.10
- 25.0.11
- 25.0.12
- 25.0.13
- 25.0.14
- 25.0.15
- 25.1.0
- 25.1.1
- 25.1.2
- 25.1.3
- 25.1.4
- 25.1.5
- 25.1.6
- 25.1.7
- 25.2.0
- 25.2.1
- 25.2.2
- 25.2.3
- 25.2.4
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CNA CVSS-B Score: 🔍
CNA CVSS-BT Score: 🔍
CNA Vector: 🔍
CVSSv3
VulDB Meta Base Score: 5.4VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.4
VulDB Temp Score: 5.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: AuthorizationCWE: CWE-862 / CWE-863 / CWE-285
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Software 26.0.0
Timeline
03/13/2025 🔍04/21/2025 🔍
04/21/2025 🔍
04/21/2025 🔍
Sources
Advisory: docs.dremio.comResearcher: Marc Olivier Bergeron
Status: Confirmed
CVE: CVE-2025-2298 (🔍)
GCVE (CVE): GCVE-0-2025-2298
GCVE (VulDB): GCVE-100-305789
Entry
Created: 04/21/2025 18:31Changes: 04/21/2025 18:31 (68)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.