CVE-2023-50270: 
Java vulnerability analysis and mitigation

Apache DolphinScheduler versions 1.3.8 through 3.2.0 contain a session fixation vulnerability identified as CVE-2023-50270. The vulnerability allows user sessions to remain valid even after password changes, creating a potential security risk. This vulnerability was discovered by lujiefsi and publicly disclosed in February 2024 (Apache List).

The vulnerability is classified as a session fixation issue (CWE-384) with a CVSS v3.1 base score of 6.5 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U) with low impacts on confidentiality (C:L) and integrity (I:L), but no impact on availability (A:N) (NVD).

When exploited, this vulnerability could allow an attacker who has obtained access to a user's old session to maintain that access even after the user changes their password. This creates a potential security breach where unauthorized users could retain access to the system despite password changes (Security Online).

Users are strongly recommended to upgrade to Apache DolphinScheduler version 3.2.1, which contains the fix for this vulnerability. The fix implements proper session management that ensures sessions expire when passwords are changed (Apache List).