CVE-2023-49620

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/apache/dolphinscheduler/pull/10307", "name": "https://github.com/apache/dolphinscheduler/pull/10307", "tags": ["Issue Tracking", "Patch"], "refsource": ""}, {"url": "https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj", "name": "https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj", "tags": ["Mailing List", "Vendor Advisory"], "refsource": ""}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/30/4", "name": "http://www.openwall.com/lists/oss-security/2023/11/30/4", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with\u00a0unauthorized\u00a0access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this\u00a0vulnerability"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-862"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-49620", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2023-11-30T09:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.1.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-12-05T19:08Z"}