Vulnerability Description
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Dolphinscheduler | < 3.1.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/11/30/4Mailing ListThird Party Advisory
- https://github.com/apache/dolphinscheduler/pull/10307Issue TrackingPatch
- https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yjMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/11/30/4Mailing ListThird Party Advisory
- https://github.com/apache/dolphinscheduler/pull/10307Issue TrackingPatch
- https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yjMailing ListVendor Advisory
FAQ
What is CVE-2023-49620?
CVE-2023-49620 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but ...
How severe is CVE-2023-49620?
CVE-2023-49620 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49620?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Dolphinscheduler.