Skip to content
This repository has been archived by the owner on Mar 3, 2023. It is now read-only.
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Security Bulletin

Bulletin ID: PLTRSEC-2022-12

CVE: CVE-2022-27897

Affected Products / Versions: Palantir Gotham

Publication Date: Feb 3, 2022

Summary

Palantir Gotham version prior to 3.22.11.2 included an unauthenticated endpoint that would have allowed an attacker to exhaust the memory of the Gotham dispatch server.

Background

Palantir Gotham is a platform that enables the world’s most important organizations to surface insights from complex data and presents them in a single view that enables users to make faster, more confident decisions.

Dispatch is a core Gotham service used to enforce access control, generate logs, and coordinate requests to other parts of the system including the database.

Details

On November 6th it was discovered that Gotham included an unauthenticated endpoint that would load portions of maliciously crafted zip files to memory. An attacker could repeatedly upload a malicious zip file, which would allow them to exhaust memory resources on the dispatch server.

Remediation

On Palantir-managed Gotham enrollments, the relevant services have been automatically upgraded to the fully-patched version.

Timeline

2022-11-06: Palantir infosec is notified about the unauthenticated zip upload vulnerability in Gotham. Palantir appsec validates and notifies product development.

2022-11-18: Gotham version 3.22.11.2 is released, resolving the issue.

2023-2-03: Public disclosure as per our commitment to transparency.