Affected versions: all Compose versions for both Compose for Data Warehouses and Compose for Data Lakes.
Vulnerability description: A malicious Compose authorized user with Operator, Designer or Administrator roles can leverage this vulnerability for remote code execution of arbitrary server code on the Compose Windows server under the credentials the Compose service is running under. This is done using the command task feature in Compose.
Patch availability: Patches that address this vulnerability are available on the download site for these supported versions:
Compose for Data Warehouses:
Version 3.1: SP20: SR1
Version 6.5: SP11: SR3
Version 6.6: SP10: SR4
Compose for Data Lakes:
Version 6.5: SP08: SR2
Version 6.6: SP06: SR3
Note that, following this patch installation, users will need Designer or Administrator roles in order to create or edit Compose command tasks. Users with Operator role will not have this ability anymore.
If still running Compose 6.4 (either products) please upgrade using one of the provided patches. If this is not possible, please open a support ticket requesting a patch for 6.4.