CVE-2023-50270

Description

Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Apache Software Foundation / Apache DolphinScheduler1.3.8 – 3.2.0

References

PATCHhttps://github.com/apache/dolphinscheduler/pull/15219
MAILING_LISThttps://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r
MAILING_LISThttps://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6
MAILING_LISThttps://www.openwall.com/lists/oss-security/2024/02/20/3