CVE-2023-41314 — Incorrect Authorization in Apache Doris

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

8.2HIGHNVD

EPSS

0.4%

top 40.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Doris Apache Software Foundation Apache Doris

Timeline

PublishedDec 18

Latest updateDec 22

Description

The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶NVDapache/doris< 2.0.3

▶CVEListV5apache_software_foundation/apache_doris1.2.0 — 2.0.3

🔴Vulnerability Details

GHSA

GHSA-vm9x-85qm-fvq3: The api /api/snapshot and /api/get_log_file would allow unauthenticated access↗2023-12-22

▶

CVEList

Apache Doris: Missing API authentication allowed DoS↗2023-12-18

▶