6.5

CVE-2023-49620

EPSS 0.33%
Published 30.11.2023 09:15:07
Last modified 21.11.2024 08:33:38
Source security@apache.org
Teams watchlist Login
Open Login

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Dolphinscheduler Version < 3.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.555

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

http://www.openwall.com/lists/oss-security/2023/11/30/4

Third Party Advisory

Mailing List

https://github.com/apache/dolphinscheduler/pull/10307

Patch

Issue Tracking

https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-49620

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49620

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49620

EUVD