Security Advisory – Critical LDAP Authentication Bypass Vulnerability in Dataiku DSS Identified (CVE-2023-51717)

A critical security vulnerability, identified as CVE-2023-51717, has been disclosed in Dataiku Data Science Studio (DSS) versions prior to 11.4.5 and 12.4.1. The issue, with a CVSS Base Score of 9.8, involves an LDAP authentication bypass. This flaw arises due to insufficient verification of credentials during LDAP identity authentication, potentially leading to a complete bypass of authentication under certain conditions.

Affected Products:
The vulnerability affects Dataiku DSS versions before 11.4.5 and 12.4.1. However, Dataiku Cloud customers are not impacted by this issue.

Specific Conditions for Vulnerability:
The vulnerability is only present in instances where LDAP support is enabled in DSS. Additionally, the LDAP server must be configured to allow “unauthenticated binds,” a setting common in Microsoft Active Directory but generally discouraged in LDAP specifications.

Mitigation and Remediation:
For customers using DSS version 12.1.0 or higher in conjunction with Single Sign-On (SSO) and LDAP (for provisioning only), the issue can be mitigated by disabling “Allow user authentication” in the LDAP settings. Dataiku has released DSS versions 12.4.1 and 11.4.5 to fully remediate this issue.

Acknowledgement:
The vulnerability was reported by Christian Turri, a consultant. Dataiku has since confirmed and addressed the issue promptly.

Timeline:

  • December 20, 2023: Vulnerability reported to Dataiku.
  • December 21, 2023: Dataiku released fixed versions and published the advisory.
  • December 22, 2023: CVE ID assigned.

For more details, users are advised to contact Dataiku or refer to their security advisory page.

Source: Dataiku DSS Security Advisory