PT-2024-13709 · Apache · Apache Dolphinscheduler

Jiajie Zhong

Published

2024-02-20

Updated

2025-03-18

CVE-2023-49250

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache DolphinScheduler versions prior to 3.2.0

Description The issue arises because the HttpUtils class did not verify certificates, allowing an attacker to perform a Man-in-the-Middle (MITM) attack on outgoing https connections and impersonate the server.

Recommendations For versions prior to 3.2.0, upgrade to version 3.2.1, which fixes the issue. As a temporary workaround, consider restricting outgoing https connections to trusted servers to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2023-49250

GHSA-37GX-JQX9-FWMG

Affected Products

Apache Dolphinscheduler

PT-2024-13709 · Apache · Apache Dolphinscheduler

CVE-2023-49250

Weakness Enumeration

Related Identifiers

Affected Products

References · 13