CVE-2023-49620: 
Java vulnerability analysis and mitigation

CVE-2023-49620 affects Apache DolphinScheduler versions before 3.1.0. The vulnerability allows authenticated users to delete User Defined Function (UDF) in the resource center without proper authorization, representing an Insecure Direct Object Reference (IDOR) vulnerability. The issue was discovered by Yuanheng Lab of zhongfu and was fixed in version 3.1.0 (Apache Advisory, OSS Security).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires no user interaction (UI:N), affects only the local scope (S:U), has no impact on confidentiality (C:N), has high impact on integrity (I:H), and no impact on availability (A:N) (NVD).

The vulnerability allows authenticated users to delete UDF functions in the resource center without proper authorization. These UDF functions are primarily used in SQL tasks, and their unauthorized deletion could impact the functionality of SQL-related operations in the system (OSS Security).

Users are advised to upgrade to Apache DolphinScheduler version 3.1.0 or later, which contains the fix for this vulnerability. The issue has been addressed through a reconstruction of permissions in the resource center (GitHub PR).