Home > Vulnerability Database > CVE-2023-49620

Mend.io Vulnerability Database

CVE-2023-49620

Good to know:

Date: November 30, 2023

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Language: Java

Severity Score

6.5

Related Resources (7)

Url: http://www.openwall.com/lists/oss-security/2023/11/30/4

Url: https://github.com/apache/dolphinscheduler/pull/10307

Url: https://github.com/apache/dolphinscheduler/commit/a4948f58e671ab263060da1de255af3ecd2530ac

Url: https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-49620

Url: https://github.com/apache/dolphinscheduler

Url: https://www.mend.io/vulnerability-database/CVE-2023-49620

Severity Score

6.5

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version org.apache.dolphinscheduler:dolphinscheduler-api:3.1.0, org.apache.dolphinscheduler:dolphinscheduler-common:3.1.0, org.apache.dolphinscheduler:dolphinscheduler-dao:3.1.0, org.apache.dolphinscheduler:dolphinscheduler-service:3.1.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-49620

Good to know:

Date: November 30, 2023

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?