DolphinScheduler UDF Delete IDOR before v3.1.0
CVE-2023-49620 Published on November 30, 2023
Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-49620 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-49620
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-49620 are published in Apache DolphinScheduler:
Affected Versions
Apache Software Foundation Apache DolphinScheduler:- Version 2.0.0 and below 3.1.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.