Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability

[John Helmert III <ajak () gentoo org>]

On Fri, Nov 24, 2023 at 05:29:43AM +0000, Zihao Xiang wrote:
> Severity: important
>
> Affected versions:
>
> - Apache DolphinScheduler before 3.2.1
>
> Description:
>
> Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue 
> affects Apache DolphinScheduler: 3.2.1.
>
> Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

So <3.2.1 is affected, but also =3.2.1, and "[FIXED_VERSION]" was
seemingly not replaced in the template. What are the correct affected
and unaffected versions? I tried to dig into what releases the fix
commit is in, but I found that that commit doesn't seem to be in any
tags yet, either?

~/git/dolphinscheduler $ git tag --contains 7308888c703fbe227887d2426273100582096134
~/git/dolphinscheduler $

> References:
>
> https://github.com/apache/dolphinscheduler/pull/15192
> https://dolphinscheduler.apache.org
> https://www.cve.org/CVERecord?id=CVE-2023-49068

Attachment: signature.asc
Description: