CVE-2023-41314 Apache Doris: Missing API authentication allowed DoS

2023-12-1808:27:51

CWE-863

apache

www.cve.org

apache doris

missing api authentication

dos attack

arbitrary files access

upgrade 2.0.3

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

38.0%

JSON

The api /api/snapshot and /api/get_log_file would allow unauthenticated access.
It could allow a DoS attack or get arbitrary files from FE node.
Please upgrade to 2.0.3 to fix these issues.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Doris",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.0.3",
        "status": "affected",
        "version": "1.2.0",
        "versionType": "semver"
      }
    ]
  }
]

References

lists.apache.org/thread/tgvpvz3yw7zgodl1sb3sv3jbbz8t5zb4