CVE-2023-50270
Apache DolphinScheduler: Session do not expire after password change
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Corrección de sesión de Apache DolphinScheduler anterior a la versión 3.2.0, cuya sesión sigue siendo válida después del cambio de contraseña. Se recomienda a los usuarios actualizar a la versión 3.2.1, que soluciona este problema.
*Credits:
lujiefsi, Qing Xu
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-12-06 CVE Reserved
- 2024-02-20 CVE Published
- 2024-02-21 EPSS Updated
- 2024-08-29 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-384: Session Fixation
- CWE-613: Insufficient Session Expiration
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2024/02/20/3 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/dolphinscheduler/pull/15219 | 2024-02-23 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6 | 2024-02-23 | |
| https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r | 2024-02-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache DolphinScheduler Search vendor "Apache Software Foundation" for product "Apache DolphinScheduler" | >= 1.3.8 <= 3.2.0 Search vendor "Apache Software Foundation" for product "Apache DolphinScheduler" and version " >= 1.3.8 <= 3.2.0" | en |
Affected
| ||||||