Apache DolphinScheduler is vulnerable to Session Fixation. The vulnerability is due to to a lack of proper session management within LoginController.java
. If a user changes their password, the old session is not deactivated.
CPE | Name | Operator | Version |
---|---|---|---|
dolphinscheduler-api | le | 3.2.0 | |
dolphinscheduler-api | le | 3.2.0 |
www.openwall.com/lists/oss-security/2024/02/20/3
github.com/advisories/GHSA-vjqc-g788-f378
github.com/apache/dolphinscheduler/commit/12f8138167f8481f66d52775b510457f532b56e4
github.com/apache/dolphinscheduler/pull/15219
lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6
lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r
www.openwall.com/lists/oss-security/2024/02/20/3