CVE-2023-49620 — Apache DolphinScheduler Missing Authorization vulnerability

Description

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

How to fix CVE-2023-49620

To remediate CVE-2023-49620, upgrade the affected package to a fixed version below.

—upgrade to 3.1.0 or later
—upgrade to 3.1.0 or later
—upgrade to 3.1.0 or later
—upgrade to 3.1.0 or later

Is CVE-2023-49620 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 3.1.0
from 0, < 3.1.0
from 0, < 3.1.0
from 0, < 3.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-49620
PATCHgithub.com/apache/dolphinscheduler
WEBgithub.com/apache/dolphinscheduler/commit/a4948f58e671ab263060da1de255af3ecd2530ac
WEBgithub.com/apache/dolphinscheduler/pull/10307