[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-49620: Apache DolphinScheduler: Authenticated users could delete UDFs in res
From: Jiajie Zhong <zhongjiajie () apache ! org>
Date: 2023-11-30 3:02:05
Message-ID: 72789292-eb17-d220-4364-db1051ef6ad1 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache DolphinScheduler 2.0.0 before 3.1.0
Description:
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource \
center unauthorized(which almost used in sql task), with unauthorized access \
vulnerability(IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate \
level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid \
this vulnerability
Credit:
Yuanheng Lab of zhongfu (finder)
References:
https://github.com/apache/dolphinscheduler/pull/10307
https://dolphinscheduler.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-49620
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic