All the vulnerabilites related to Apache Software Foundation - Apache DolphinScheduler
cve-2023-49250
Vulnerability from cvelistv5
Published
2024-02-20 10:00
Modified
2024-08-14 15:18
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T15:17:49.511453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T15:18:07.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-common",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\n\nThis issue affects Apache DolphinScheduler: before 3.2.0.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:00:06.733Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49250",
"datePublished": "2024-02-20T10:00:06.733Z",
"dateReserved": "2023-11-24T11:02:09.324Z",
"dateUpdated": "2024-08-14T15:18:07.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27644
Vulnerability from cvelistv5
Published
2021-11-01 09:15
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
DolphinScheduler mysql jdbc connector parameters deserialize remote code execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2021/11/01/3 | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[dolphinscheduler-dev] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[oss-security] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.6",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Jinchen Sheng of Ant FG Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)"
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-01T14:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[dolphinscheduler-dev] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[oss-security] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27644",
"STATE": "PUBLIC",
"TITLE": "DolphinScheduler mysql jdbc connector parameters deserialize remote code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache DolphinScheduler",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache DolphinScheduler",
"version_value": "1.3.6"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Jinchen Sheng of Ant FG Security Lab"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[dolphinscheduler-dev] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6@%3Cdev.dolphinscheduler.apache.org%3E"
},
{
"name": "[oss-security] 20211101 CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27644",
"datePublished": "2021-11-01T09:15:10",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-30188
Vulnerability from cvelistv5
Published
2024-08-09 14:23
Modified
2024-08-10 14:30
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Resource File Read And Write Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:52.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T14:25:59.911467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T14:30:41.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "drun1baby"
},
{
"lang": "en",
"type": "reporter",
"value": "Zevi"
},
{
"lang": "en",
"type": "reporter",
"value": "Xun Bai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u0026nbsp; authenticated users can illegally access additional resource files.\u003cbr\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:23:27.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Resource File Read And Write Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30188",
"datePublished": "2024-08-09T14:23:27.823Z",
"dateReserved": "2024-03-25T09:58:24.854Z",
"dateUpdated": "2024-08-10T14:30:41.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-25598
Vulnerability from cvelistv5
Published
2022-03-30 09:20
Modified
2024-08-03 04:42
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler user registration is vulnerable to ReDoS attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:49.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Zheng Wang of HIT"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:06:42.168Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-25598",
"STATE": "PUBLIC",
"TITLE": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache DolphinScheduler",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache DolphinScheduler",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Zheng Wang of HIT"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-25598",
"datePublished": "2022-03-30T09:20:12",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-03T04:42:49.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49068
Vulnerability from cvelistv5
Published
2023-11-27 09:49
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Information Leakage Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/apache/dolphinscheduler/pull/15192 | issue-tracking | |
| https://lists.apache.org/thread/jn6kr6mjdgtfgpxoq9j8q4pkfsq8zmpq | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15192"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/jn6kr6mjdgtfgpxoq9j8q4pkfsq8zmpq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4tacker and 4ra1n from Y4secTeam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.1.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:49:42.477Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15192"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jn6kr6mjdgtfgpxoq9j8q4pkfsq8zmpq"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Information Leakage Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49068",
"datePublished": "2023-11-27T09:49:42.477Z",
"dateReserved": "2023-11-21T05:39:23.905Z",
"dateUpdated": "2024-08-02T21:46:28.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49109
Vulnerability from cvelistv5
Published
2024-02-20 09:58
Modified
2024-08-26 17:51
Severity ?
EPSS score ?
Summary
Remote Code Execution in Apache Dolphinscheduler
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:21:40.896739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T17:51:16.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4tacker and 4ra1n from Y4secTeam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. "
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. "
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T09:58:56.779Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in Apache Dolphinscheduler",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49109",
"datePublished": "2024-02-20T09:58:56.779Z",
"dateReserved": "2023-11-22T08:14:39.874Z",
"dateUpdated": "2024-08-26T17:51:16.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-25601
Vulnerability from cvelistv5
Published
2023-04-20 15:07
Modified
2024-10-21 15:08
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/04/20/10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:08:10.935598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:08:23.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On version 3.0.0 through 3.1.1, Apache DolphinScheduler\u0027s python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.\u003cbr\u003e"
}
],
"value": "On version 3.0.0 through 3.1.1, Apache DolphinScheduler\u0027s python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T15:07:00.310Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/04/20/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has\u00a0improper authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25601",
"datePublished": "2023-04-20T15:07:00.310Z",
"dateReserved": "2023-02-08T08:41:54.068Z",
"dateUpdated": "2024-10-21T15:08:23.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49620
Vulnerability from cvelistv5
Published
2023-11-30 08:17
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/10307"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/30/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuanheng Lab of zhongfu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with\u0026nbsp;unauthorized\u0026nbsp;access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this\u0026nbsp;vulnerability"
}
],
"value": "Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with\u00a0unauthorized\u00a0access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this\u00a0vulnerability"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T08:17:01.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/10307"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/30/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49620",
"datePublished": "2023-11-30T08:17:01.765Z",
"dateReserved": "2023-11-28T07:30:24.598Z",
"dateUpdated": "2024-08-02T22:01:25.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26885
Vulnerability from cvelistv5
Published
2022-11-24 00:00
Modified
2024-08-03 05:18
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler config file read by task risk
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/z7084r9cs2r26cszkkgjqpb5bhnxqssp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.6",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "config file read by task risk",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-24T00:00:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/z7084r9cs2r26cszkkgjqpb5bhnxqssp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler config file read by task risk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26885",
"datePublished": "2022-11-24T00:00:00",
"dateReserved": "2022-03-11T00:00:00",
"dateUpdated": "2024-08-03T05:18:38.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48796
Vulnerability from cvelistv5
Published
2023-11-24 07:56
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
Apache dolphinscheduler sensitive information disclosure
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:27.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/24/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.\u003cbr\u003e\u003cbr\u003eThe information exposed to unauthorized actors may include sensitive data such as database credentials.\u003cbr\u003e\u003cbr\u003eUsers who can\u0027t upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e```\u003cbr\u003emanagement:\u003cbr\u003e\u0026nbsp; endpoints:\u003cbr\u003e\u0026nbsp; \u0026nbsp; web:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; exposure:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; include: health,metrics,prometheus\u003cbr\u003e```\u003cbr\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.\n\nThe information exposed to unauthorized actors may include sensitive data such as database credentials.\n\nUsers who can\u0027t upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file\n\n```\nmanagement:\n\u00a0 endpoints:\n\u00a0 \u00a0 web:\n\u00a0 \u00a0 \u00a0 exposure:\n\u00a0 \u00a0 \u00a0 \u00a0 include: health,metrics,prometheus\n```\n\nThis issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.\n\nUsers are recommended to upgrade to version 3.0.2, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T07:56:43.542Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/24/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache dolphinscheduler sensitive information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-48796",
"datePublished": "2023-11-24T07:56:43.542Z",
"dateReserved": "2023-11-20T03:53:27.700Z",
"dateUpdated": "2024-08-02T21:46:27.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-34662
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 09:15
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler prior to 3.0.0 allows path traversal
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:15:15.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"
},
{
"name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.0.0-beta-1",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Jigang Dong of M1QLin Security Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher"
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T00:00:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"
},
{
"name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler prior to 3.0.0 allows path traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-34662",
"datePublished": "2022-11-01T00:00:00",
"dateReserved": "2022-06-27T00:00:00",
"dateUpdated": "2024-08-03T09:15:15.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50270
Vulnerability from cvelistv5
Published
2024-02-20 10:01
Modified
2024-08-29 15:08
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Session do not expire after password change
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:07:02.901267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:08:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lujiefsi"
},
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T10:17:35.425Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Session do not expire after password change",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50270",
"datePublished": "2024-02-20T10:01:32.260Z",
"dateReserved": "2023-12-06T02:25:09.094Z",
"dateUpdated": "2024-08-29T15:08:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51770
Vulnerability from cvelistv5
Published
2024-02-20 10:02
Modified
2024-08-02 22:48
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Arbitrary File Read Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:29:47.005332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:55.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-datasource-mysql",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zhiwei"
},
{
"lang": "en",
"type": "finder",
"value": "rg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:02:12.991Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51770",
"datePublished": "2024-02-20T10:02:12.991Z",
"dateReserved": "2023-12-25T03:43:07.636Z",
"dateUpdated": "2024-08-02T22:48:11.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49299
Vulnerability from cvelistv5
Published
2023-12-30 16:27
Modified
2024-08-26 20:23
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15228"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:21:55.529873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:23:11.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eluen Siebene"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003c/span\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.1.9.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.1.9, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An\u00a0authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.\n\nUsers are recommended to upgrade to version 3.1.9, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-30T16:30:17.905Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15228"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execute as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49299",
"datePublished": "2023-12-30T16:27:12.045Z",
"dateReserved": "2023-11-26T10:03:26.679Z",
"dateUpdated": "2024-08-26T20:23:11.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-45875
Vulnerability from cvelistv5
Published
2023-01-04 14:57
Modified
2024-08-03 14:24
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/22/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.0",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "4ra1n of Chaitin Tech"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis attack can be performed only by authenticated users which can login to DS.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.\nThis attack can be performed only by authenticated users which can login to DS.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-22T08:29:03.589Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/22/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45875",
"datePublished": "2023-01-04T14:57:45.334Z",
"dateReserved": "2022-11-24T08:21:11.029Z",
"dateUpdated": "2024-08-03T14:24:03.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43202
Vulnerability from cvelistv5
Published
2024-08-20 07:29
Modified
2024-08-20 15:02
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Remote Code Execution Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:06:20.819939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:13:41.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-20T15:02:42.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "an4er"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.2. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T07:29:43.170Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43202",
"datePublished": "2024-08-20T07:29:43.170Z",
"dateReserved": "2024-08-07T15:30:55.296Z",
"dateUpdated": "2024-08-20T15:02:42.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26884
Vulnerability from cvelistv5
Published
2022-10-28 00:00
Modified
2024-08-03 05:18
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler exposes files without authentication
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:37.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/xfdst5y4hnrm2ntmc5jzrgmw2htyyb9c"
},
{
"name": "[oss-security] 20221028 CVE-2022-26884: Apache DolphinScheduler exposes files without authentication",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/28/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.6",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T00:00:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/xfdst5y4hnrm2ntmc5jzrgmw2htyyb9c"
},
{
"name": "[oss-security] 20221028 CVE-2022-26884: Apache DolphinScheduler exposes files without authentication",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/10/28/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler exposes files without authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26884",
"datePublished": "2022-10-28T00:00:00",
"dateReserved": "2022-03-11T00:00:00",
"dateUpdated": "2024-08-03T05:18:37.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13922
Vulnerability from cvelistv5
Published
2021-01-11 09:40
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler (incubating) Permission vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.mail-archive.com/announce%40apache.org/msg06076.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mail-archive.com/announce%40apache.org/msg06076.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by xuxiang of DtDream security"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-11T09:40:19",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mail-archive.com/announce%40apache.org/msg06076.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler (incubating) Permission vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13922",
"STATE": "PUBLIC",
"TITLE": "Apache DolphinScheduler (incubating) Permission vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache DolphinScheduler",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache DolphinScheduler",
"version_value": "1.3.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by xuxiang of DtDream security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mail-archive.com/announce@apache.org/msg06076.html",
"refsource": "MISC",
"url": "https://www.mail-archive.com/announce@apache.org/msg06076.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13922",
"datePublished": "2021-01-11T09:40:19",
"dateReserved": "2020-06-08T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-45462
Vulnerability from cvelistv5
Published
2022-11-23 00:00
Modified
2024-08-03 14:17
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/2f126y32bf1v3mvxkdgt2jr5j3l1t01w"
},
{
"name": "[oss-security] 20221123 CVE-2022-45462: Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Jigang Dong of M1QLin Security Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher"
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T00:00:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/2f126y32bf1v3mvxkdgt2jr5j3l1t01w"
},
{
"name": "[oss-security] 20221123 CVE-2022-45462: Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/23/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45462",
"datePublished": "2022-11-23T00:00:00",
"dateReserved": "2022-11-17T00:00:00",
"dateUpdated": "2024-08-03T14:17:03.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29831
Vulnerability from cvelistv5
Published
2024-08-09 14:21
Modified
2024-08-12 17:49
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: RCE by arbitrary js execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:51.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:05:34.308702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:49:00.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yerest"
},
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "My Long"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:21:48.184Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: RCE by arbitrary js execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29831",
"datePublished": "2024-08-09T14:21:48.184Z",
"dateReserved": "2024-03-20T09:51:46.246Z",
"dateUpdated": "2024-08-12T17:49:00.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23320
Vulnerability from cvelistv5
Published
2024-02-23 16:57
Modified
2024-08-01 22:59
Severity ?
EPSS score ?
Summary
Apache DolphinScheduler: Arbitrary js execution as root for authenticated users
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:27:33.967939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:29:05.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-master",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xuesong.zhou"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
},
{
"lang": "en",
"type": "finder",
"value": "Huang Atao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.2.1.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T16:57:09.741Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execution as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23320",
"datePublished": "2024-02-23T16:57:09.741Z",
"dateReserved": "2024-01-15T10:49:33.393Z",
"dateUpdated": "2024-08-01T22:59:32.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}