CVE-2023-49620

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2023/11/30/4 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2023/11/30/4 - Mailing List, Third Party Advisory
References () https://github.com/apache/dolphinscheduler/pull/10307 - Issue Tracking, Patch () https://github.com/apache/dolphinscheduler/pull/10307 - Issue Tracking, Patch
References () https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj - Mailing List, Vendor Advisory () https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj - Mailing List, Vendor Advisory

05 Dec 2023, 19:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*
First Time Apache
Apache dolphinscheduler
References () https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj - () https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj - Mailing List, Vendor Advisory
References () https://github.com/apache/dolphinscheduler/pull/10307 - () https://github.com/apache/dolphinscheduler/pull/10307 - Issue Tracking, Patch
References () http://www.openwall.com/lists/oss-security/2023/11/30/4 - () http://www.openwall.com/lists/oss-security/2023/11/30/4 - Mailing List, Third Party Advisory

30 Nov 2023, 12:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2023/11/30/4 -

30 Nov 2023, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-30 09:15

Updated : 2024-11-21 08:33


NVD link : CVE-2023-49620

Mitre link : CVE-2023-49620

CVE.ORG link : CVE-2023-49620


JSON object : View

Products Affected

apache

  • dolphinscheduler
CWE
CWE-862

Missing Authorization