CVE-2023-50270

Description

Session Fixation Apache DolphinScheduler before version 3.2.1, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

How to fix CVE-2023-50270

To remediate CVE-2023-50270, upgrade the affected package to a fixed version below.

• Maven/org.apache.dolphinscheduler:dolphinscheduler—upgrade to 3.2.1 or later

Is CVE-2023-50270 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.3.8, < 3.2.1

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-50270
• PATCHgithub.com/apache/dolphinscheduler
• WEBgithub.com/apache/dolphinscheduler/pull/15219
• WEBlists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6
• WEB