CVE-2023-50270 – org.apache.dolphinscheduler:dolphinscheduler

Package

Manager: maven
Name: org.apache.dolphinscheduler:dolphinscheduler
Vulnerable Version: >=1.3.8 <3.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00598 pctl0.68448

Details

Session Fixation Apache DolphinScheduler Session Fixation Apache DolphinScheduler before version 3.2.1, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

Metadata

Created: 2024-02-20T12:31:00Z
Modified: 2024-02-23T15:16:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vjqc-g788-f378/GHSA-vjqc-g788-f378.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-vjqc-g788-f378
Finding: F280
Auto approve: 1