DolphinScheduler UDF Delete IDOR before v3.1.0
CVE-2023-49620 Published on November 30, 2023
Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-49620 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-49620
Want to know whenever a new CVE is published for Apache DolphinScheduler? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache DolphinScheduler:- Version 2.0.0 and below 3.1.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.