oss-sec mailing list archives
Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability
From: John Helmert III <ajak () gentoo org>
Date: Sat, 25 Nov 2023 12:07:41 -0800
On Fri, Nov 24, 2023 at 05:29:43AM +0000, Zihao Xiang wrote:
Severity: important Affected versions: - Apache DolphinScheduler before 3.2.1 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: 3.2.1. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
So <3.2.1 is affected, but also =3.2.1, and "[FIXED_VERSION]" was seemingly not replaced in the template. What are the correct affected and unaffected versions? I tried to dig into what releases the fix commit is in, but I found that that commit doesn't seem to be in any tags yet, either? ~/git/dolphinscheduler $ git tag --contains 7308888c703fbe227887d2426273100582096134 ~/git/dolphinscheduler $
References: https://github.com/apache/dolphinscheduler/pull/15192 https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2023-49068
Attachment:
signature.asc
Description:
Current thread:
- CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability Zihao Xiang (Nov 24)
- Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability John Helmert III (Nov 25)