Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNDRxLTk4Z3gtcG1oMs4AA3bb
Apache DolphinScheduler Missing Authorization vulnerability
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Permalink: https://github.com/advisories/GHSA-r44q-98gx-pmh2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNDRxLTk4Z3gtcG1oMs4AA3bb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-r44q-98gx-pmh2, CVE-2023-49620
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49620
- https://github.com/apache/dolphinscheduler/pull/10307
- https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj
- http://www.openwall.com/lists/oss-security/2023/11/30/4
- https://github.com/apache/dolphinscheduler/commit/a4948f58e671ab263060da1de255af3ecd2530ac
- https://github.com/advisories/GHSA-r44q-98gx-pmh2
Blast Radius: 12.4
Affected Packages
maven:org.apache.dolphinscheduler:dolphinscheduler-service
Dependent packages: 8Dependent repositories: 76
Downloads:
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6
All unaffected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1
maven:org.apache.dolphinscheduler:dolphinscheduler-dao
Dependent packages: 8Dependent repositories: 78
Downloads:
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6
All unaffected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1
maven:org.apache.dolphinscheduler:dolphinscheduler-common
Dependent packages: 15Dependent repositories: 78
Downloads:
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6
All unaffected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1
maven:org.apache.dolphinscheduler:dolphinscheduler-api
Dependent packages: 5Dependent repositories: 82
Downloads:
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6
All unaffected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1