CVE-2023-49620

CVE-2023-49620: Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for

Vendor Apache Software Foundation

Product Apache DolphinScheduler

Weakness CWE-862 · Missing authorization

Published November 30, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Key dates

Disclosure timeline

November 30, 2023 CVE published

February 13, 2025 Record updated