CVE-2023-49620 – org.apache.dolphinscheduler:dolphinscheduler-api

Package

Manager: maven
Name: org.apache.dolphinscheduler:dolphinscheduler-api
Vulnerable Version: >=0 <3.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00249 pctl0.47988

Details

Apache DolphinScheduler Missing Authorization vulnerability Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Metadata

Created: 2023-11-30T09:30:32Z
Modified: 2023-12-05T23:04:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-r44q-98gx-pmh2/GHSA-r44q-98gx-pmh2.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-r44q-98gx-pmh2
Finding: F039
Auto approve: 1