CVE-2023-50270 Apache DolphinScheduler: Session do not expire after password change

2024-02-2010:01:32

CWE-613

apache

www.cve.org

cve-2023-50270

apache dolphinscheduler

session fixation

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
    "product": "Apache DolphinScheduler",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.2.0",
        "status": "affected",
        "version": "1.3.8",
        "versionType": "semver"
      }
    ]
  }
]