Headline
GHSA-r44q-98gx-pmh2: Apache DolphinScheduler Missing Authorization vulnerability
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-49620
Apache DolphinScheduler Missing Authorization vulnerability
Moderate severity GitHub Reviewed Published Nov 30, 2023 to the GitHub Advisory Database • Updated Nov 30, 2023
Package
maven org.apache.dolphinscheduler:dolphinscheduler-api (Maven)
Affected versions
< 3.1.0
maven org.apache.dolphinscheduler:dolphinscheduler-common (Maven)
maven org.apache.dolphinscheduler:dolphinscheduler-dao (Maven)
maven org.apache.dolphinscheduler:dolphinscheduler-service (Maven)
Description
Published to the GitHub Advisory Database
Nov 30, 2023
Last updated
Nov 30, 2023
Related news
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability