Headline
CVE-2023-49620: [Feature][Permission] Reconstruction of permissions of resource center and monitoring center. by WangJPLeo · Pull Request #10307 · apache/dolphinscheduler
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Purpose of the pull request
Abstract functions, resource permission verification, and reconstruction of project management, security center, data source center, data quality, resource center and monitoring center module permission management.
Brief change log
close #10306
Verify this pull request
Manually verified the change by testing locally.
Related news
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability