Missing Encryption of Sensitive Data in Data Lakehouse - CVE-2024-38302

 

Missing Encryption of Sensitive Data in Data Lakehouse - CVE-2024-38302

Published: July 30, 2024


Vulnerability identifier: #VU94847
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-38302
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Dell
Affected software:
Data Lakehouse

Detailed vulnerability description

The vulnerability allows an adjacent user to gain access to potentially sensitive information.

The vulnerability exists due to missing encryption of sensitive data vulnerability in the DDAE (Starburst). A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure.


How to mitigate CVE-2024-38302

Install updates from vendor's website.

Sources