Vulnerabilities > Apache > Dolphinscheduler > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-30 | CVE-2023-49620 | Missing Authorization vulnerability in Apache Dolphinscheduler Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. | 6.5 |
| 2023-04-20 | CVE-2023-25601 | Improper Authentication vulnerability in Apache Dolphinscheduler On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. | 4.3 |
| 2022-11-01 | CVE-2022-34662 | Path Traversal vulnerability in Apache Dolphinscheduler When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. | 6.5 |
| 2022-10-28 | CVE-2022-26884 | Path Traversal vulnerability in Apache Dolphinscheduler Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | 6.5 |
| 2021-01-11 | CVE-2020-13922 | Incorrect Default Permissions vulnerability in Apache Dolphinscheduler 1.2.0/1.2.1/1.3.1 Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | 6.5 |