Apache DolphinScheduler <3.2.0 Session Fixation (Session Persists)
CVE-2023-50270 Published on February 20, 2024
Apache DolphinScheduler: Session do not expire after password change
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Vulnerability Analysis
CVE-2023-50270 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Types
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2023-50270
Want to know whenever a new CVE is published for Apache DolphinScheduler? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache DolphinScheduler:- Version 1.3.8, <= 3.2.0 is affected.
- Version 1.3.8, <= 3.2.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.