6.5

CVE-2023-49620

EPSS 0.33%
Veröffentlicht 30.11.2023 09:15:07
Zuletzt bearbeitet 21.11.2024 08:33:38
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Dolphinscheduler Version < 3.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.555

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

http://www.openwall.com/lists/oss-security/2023/11/30/4

Third Party Advisory

Mailing List

https://github.com/apache/dolphinscheduler/pull/10307

Patch

Issue Tracking

https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-49620

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49620

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49620

EUVD