Certificate Verification Vulnerability Affects Apache DolphinScheduler
CVE-2023-49250

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 20 February 2024

Summary

A vulnerability in the HttpUtils class of Apache DolphinScheduler permits attackers to exploit unverified HTTPS connections. This flaw enables a Man-in-the-Middle (MITM) attack, allowing an attacker to impersonate a legitimate server. Users running versions earlier than 3.2.0 are urged to update to version 3.2.1 to mitigate this risk.

Affected Version(s)

Apache DolphinScheduler 0 <= 3.2.0

References

https://github.com/apache/dolphinscheduler/pull/15288

patch

https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73n...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/20/1

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Nov 24, 2023