Maven package
org.apache.dolphinscheduler/dolphinscheduler-api
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler-api
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-49620 | — | < 3.1.0 | 3.1.0 | Nov 30, 2023 | Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level beca | ||
| CVE-2023-49068 | — | < 3.2.1 | 3.2.1 | Nov 27, 2023 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, thi | ||
| CVE-2023-25601 | — | >= 3.0.0, < 3.1.2 | 3.1.2 | Apr 20, 2023 | On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you | ||
| CVE-2020-13922 | — | < 1.3.2 | 1.3.2 | Jan 11, 2021 | Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. |
- CVE-2023-49620Nov 30, 2023affected < 3.1.0fixed 3.1.0
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level beca
- CVE-2023-49068Nov 27, 2023affected < 3.2.1fixed 3.2.1
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, thi
- CVE-2023-25601Apr 20, 2023affected >= 3.0.0, < 3.1.2fixed 3.1.2
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you
- CVE-2020-13922Jan 11, 2021affected < 1.3.2fixed 1.3.2
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.