GHSA-r44q-98gx-pmh2

Suggest an improvement
Source
https://github.com/advisories/GHSA-r44q-98gx-pmh2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-r44q-98gx-pmh2/GHSA-r44q-98gx-pmh2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r44q-98gx-pmh2
Aliases
Published
2023-11-30T09:30:32Z
Modified
2024-02-16T08:24:05.222859Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache DolphinScheduler Missing Authorization vulnerability
Details

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

Database specific
{
    "nvd_published_at": "2023-11-30T09:15:07Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-30T19:51:53Z"
}
References

Affected packages

Maven / org.apache.dolphinscheduler:dolphinscheduler-api

Package

Name
org.apache.dolphinscheduler:dolphinscheduler-api
View open source insights on deps.dev
Purl
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Affected versions

1.*

1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9

2.*

2.0.0-alpha
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.9

3.*

3.0.0-alpha
3.0.0-beta-1
3.0.0-beta-2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6

Maven / org.apache.dolphinscheduler:dolphinscheduler-common

Package

Name
org.apache.dolphinscheduler:dolphinscheduler-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Affected versions

1.*

1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9

2.*

2.0.0-alpha
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

3.*

3.0.0-alpha
3.0.0-beta-1
3.0.0-beta-2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6

Maven / org.apache.dolphinscheduler:dolphinscheduler-dao

Package

Name
org.apache.dolphinscheduler:dolphinscheduler-dao
View open source insights on deps.dev
Purl
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler-dao

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Affected versions

1.*

1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9

2.*

2.0.0-alpha
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

3.*

3.0.0-alpha
3.0.0-beta-1
3.0.0-beta-2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6

Maven / org.apache.dolphinscheduler:dolphinscheduler-service

Package

Name
org.apache.dolphinscheduler:dolphinscheduler-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Affected versions

1.*

1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9

2.*

2.0.0-alpha
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.9

3.*

3.0.0-alpha
3.0.0-beta-1
3.0.0-beta-2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6