CVE-2023-49250

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

7.3HIGH

EPSS

0.2%

top 61.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Dolphinscheduler Apache Software Foundation Apache Dolphinscheduler

Timeline

PublishedFeb 20

Description

Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

▶NVDapache/dolphinscheduler< 3.2.1

▶Mavenorg.apache.dolphinscheduler:dolphinscheduler< 3.2.1

▶CVEListV5apache_software_foundation/apache_dolphinscheduler3.2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Improper Certificate Validation in Apache DolphinScheduler↗2024-02-20

▶

OSV

Improper Certificate Validation in Apache DolphinScheduler↗2024-02-20

▶

CVEList

Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil↗2024-02-20

▶