Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication
CVE-2023-25601

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 20 April 2023

What is CVE-2023-25601?

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value python-gateway.enabled=false in configuration file application.yaml. If you are using the python gateway, please upgrade to version 3.1.2 or above.

Affected Version(s)

Apache DolphinScheduler 3.0.0 < 3.1.2

References

https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/20/10

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2023
Vulnerability Reserved
Feb 8, 2023