CVE-2023-50270 (GCVE-0-2023-50270)
Vulnerability from cvelistv5 – Published: 2024-02-20 10:01 – Updated: 2024-08-29 15:08
VLAI?
Title
Apache DolphinScheduler: Session do not expire after password change
Summary
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.3.8 , ≤ 3.2.0
(semver)
|
Credits
lujiefsi
Qing Xu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:07:02.901267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:08:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lujiefsi"
},
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T10:17:35.425Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Session do not expire after password change",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50270",
"datePublished": "2024-02-20T10:01:32.260Z",
"dateReserved": "2023-12-06T02:25:09.094Z",
"dateUpdated": "2024-08-29T15:08:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\\n\\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.\"}, {\"lang\": \"es\", \"value\": \"Correcci\\u00f3n de sesi\\u00f3n de Apache DolphinScheduler anterior a la versi\\u00f3n 3.2.0, cuya sesi\\u00f3n sigue siendo v\\u00e1lida despu\\u00e9s del cambio de contrase\\u00f1a. Se recomienda a los usuarios actualizar a la versi\\u00f3n 3.2.1, que soluciona este problema.\"}]",
"id": "CVE-2023-50270",
"lastModified": "2024-11-21T08:36:47.543",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}]}",
"published": "2024-02-20T10:15:08.140",
"references": "[{\"url\": \"https://github.com/apache/dolphinscheduler/pull/15219\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/02/20/3\", \"source\": \"security@apache.org\"}, {\"url\": \"https://github.com/apache/dolphinscheduler/pull/15219\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/02/20/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-613\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-384\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-50270\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-02-20T10:15:08.140\",\"lastModified\":\"2025-03-18T17:38:29.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\\n\\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.\"},{\"lang\":\"es\",\"value\":\"Correcci\u00f3n de sesi\u00f3n de Apache DolphinScheduler anterior a la versi\u00f3n 3.2.0, cuya sesi\u00f3n sigue siendo v\u00e1lida despu\u00e9s del cambio de contrase\u00f1a. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.2.1, que soluciona este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-384\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.8\",\"versionEndExcluding\":\"3.2.1\",\"matchCriteriaId\":\"7870A4CC-1A8D-4E9A-9302-F31B465A8C20\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/dolphinscheduler/pull/15219\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2024/02/20/3\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/apache/dolphinscheduler/pull/15219\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2024/02/20/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/apache/dolphinscheduler/pull/15219\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/02/20/3\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:16:46.169Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-50270\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-20T17:07:02.901267Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"dolphinscheduler\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3.8\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.2.0\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-384\", \"description\": \"CWE-384 Session Fixation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T15:08:30.902Z\"}}], \"cna\": {\"title\": \"Apache DolphinScheduler: Session do not expire after password change\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"lujiefsi\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Qing Xu\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache DolphinScheduler\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3.8\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.2.0\"}], \"packageName\": \"org.apache.dolphinscheduler:dolphinscheduler-api\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/dolphinscheduler/pull/15219\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/02/20/3\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\\n\\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613 Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-02-23T10:17:35.425Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-50270\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-29T15:08:36.166Z\", \"dateReserved\": \"2023-12-06T02:25:09.094Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-02-20T10:01:32.260Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…