CVE-2023-49620

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), withunauthorizedaccess vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid thisvulnerability
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
apachedolphinscheduler
𝑥
< 3.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/11/30/4
https://github.com/apache/dolphinscheduler/pull/10307
https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj
http://www.openwall.com/lists/oss-security/2023/11/30/4
https://github.com/apache/dolphinscheduler/pull/10307
https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj