Miggo Logo
Miggo Vulnerability Database
CVE-2023-50270

CVE-2023-50270: Session Fixation Apache DolphinScheduler

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-50270
GHSA ID
GHSA-vjqc-g788-f378
EPSS Score
0.62282%
CWE
CWE-613
Published
2/20/2024
Updated
3/3/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.dolphinscheduler:dolphinschedulermaven>= 1.3.8, < 3.2.13.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch in PR#15219 explicitly adds session invalidation logic to UsersServiceImpl.updateUser and enhances SessionDaoImpl.deleteByUserId. The vulnerability stems from 1) not clearing sessions during password updates, and 2) incomplete session management infrastructure. The CWE-613 mapping confirms this is an insufficient session expiration issue where credential changes didn't terminate existing sessions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ssion *ix*tion *p**** *olp*inS****ul*r ***or* v*rsion *.*.*, w*i** s*ssion is still v*li* **t*r t** p*sswor* ***n**. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.*, w*i** *ix*s t*is issu*.

Reasoning

T** p*t** in PR#***** *xpli*itly ***s s*ssion inv*li**tion lo*i* to `Us*rsS*rvi**Impl.up**t*Us*r` *n* *n**n**s `S*ssion**oImpl.**l*t**yUs*rI*`. T** vuln*r**ility st*ms *rom *) not *l**rin* s*ssions *urin* p*sswor* up**t*s, *n* *) in*ompl*t* s*ssion m