Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.

This issue affects Apache DolphinScheduler: before 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Affected Packages

Maven org.apache.dolphinscheduler:dolphinscheduler

Affected versions: 0 (fixed in 3.2.1)

Related CVEs

CVE-2023-49250

Key Information

GHSA ID

GHSA-37gx-jqx9-fwmg

Published

February 20, 2024 12:31 PM

Last Modified

February 13, 2025 7:12 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.dolphinscheduler:dolphinscheduler

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.