A critical flaw in Apache Polaris allows attackers to bypass access restrictions and gain unauthorized read/write access to arbitrary tables by injecting wildcard characters into naming fields.

The vulnerability stems from the improper sanitization of * characters in table and namespace names. These characters are subsequently included in S3 IAM policies without escaping, causing S3 to interpret them as wildcards and grant the attacker credentials that span across multiple, unintended storage locations.

Successful exploitation allows an attacker to access, modify, or delete data belonging to other users or departments, effectively breaking the multi-tenancy isolation of the platform. With a CVSS score of 9.9, this vulnerability presents an immediate threat to the confidentiality and integrity of all data managed within the affected Polaris environment.

Immediate Action: Upgrade to the latest version of Apache Polaris, which includes input sanitization fixes to prevent wildcard injection.

Proactive Monitoring: Audit existing table and namespace names for the presence of * characters and monitor IAM policy creation logs for suspicious patterns.

Compensating Controls: Implement least-privilege IAM policies at the cloud provider level to restrict the scope of temporary credentials generated by Polaris.

Public Exploit Available: No

The ability to escalate privileges across table boundaries is a critical security failure. Administrators should immediately update their instances and conduct a thorough audit of current storage configurations to ensure no unauthorized cross-table access is currently occurring.