[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability
From:       John Helmert III <ajak () gentoo ! org>
Date:       2023-11-25 20:07:41
Message-ID: ZWJUDWTquSuqfmSk () gentoo ! org
[Download RAW message or body]


On Fri, Nov 24, 2023 at 05:29:43AM +0000, Zihao Xiang wrote:
> Severity: important
> 
> Affected versions:
> 
> - Apache DolphinScheduler before 3.2.1
> 
> Description:
> 
> Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache \
> DolphinScheduler.This issue affects Apache DolphinScheduler: 3.2.1. 
> Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

So <3.2.1 is affected, but also =3.2.1, and "[FIXED_VERSION]" was
seemingly not replaced in the template. What are the correct affected
and unaffected versions? I tried to dig into what releases the fix
commit is in, but I found that that commit doesn't seem to be in any
tags yet, either?

~/git/dolphinscheduler $ git tag --contains 7308888c703fbe227887d2426273100582096134
~/git/dolphinscheduler $

> References:
> 
> https://github.com/apache/dolphinscheduler/pull/15192
> https://dolphinscheduler.apache.org
> https://www.cve.org/CVERecord?id=CVE-2023-49068
> 


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]