Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil
Description
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.0.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler's HttpUtils class fails to verify TLS certificates, enabling MITM attacks on outgoing HTTPS connections.
Vulnerability
Overview CVE-2023-49250 identifies a security flaw in Apache DolphinScheduler versions before 3.2.0. The HttpUtils class, used to make outgoing HTTPS requests, does not validate TLS server certificates. This means the class trusts any certificate presented during the TLS handshake, including those from an attacker operating as a man-in-the-middle (MITM) [1][3].
Exploitation
An attacker who can intercept network traffic between the DolphinScheduler instance and a target HTTPS server can exploit this flaw. By positioning themselves on the network path (e.g., on a compromised router, through ARP spoofing, or within the same cloud environment), they can present a self-signed or otherwise invalid certificate. Because HttpUtils does not verify the certificate's legitimacy, the attacker can impersonate any server the scheduler contacts [1][3].
Impact
Successful exploitation allows the attacker to eavesdrop on, modify, or inject data into the HTTPS communication. This could lead to disclosure of sensitive data (e.g., credentials, task configurations, or results) and compromise the integrity of data flowing into or out of the orchestration system [1].
Mitigation
The issue is fixed in Apache DolphinScheduler version 3.2.1. Users running versions prior to 3.2.0 are strongly advised to upgrade. The fix was introduced via pull request #15288, which ensures that HttpUtils validates server certificates and only communicates with trusted endpoints [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.2.1 | 3.2.1 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/apache/dolphinscheduler/pull/15288ghsapatchWEB
- github.com/advisories/GHSA-37gx-jqx9-fwmgghsaADVISORY
- lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-49250ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/20/1ghsaWEB
News mentions
0No linked articles in our index yet.