CVE-2023-49620

moderate-risk

Published 2023-11-30

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Dolphinscheduler

Affected Vendors

Apache

References (6)

Mailing List http://www.openwall.com/lists/oss-security/2023/11/30/4

Issue Tracking https://github.com/apache/dolphinscheduler/pull/10307

Mailing List https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj

Mailing List http://www.openwall.com/lists/oss-security/2023/11/30/4

Issue Tracking https://github.com/apache/dolphinscheduler/pull/10307

Mailing List https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal