Search criteria
72 vulnerabilities found for dolphinscheduler by apache
FKIE_CVE-2024-43166
Vulnerability from fkie_nvd - Published: 2025-09-03 10:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA3F4CF0-C52D-4EC7-AEA3-4B49F30F0B9C",
"versionEndExcluding": "3.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Default Permissions vulnerability in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"id": "CVE-2024-43166",
"lastModified": "2025-11-04T22:16:03.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-03T10:15:36.463",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-43115
Vulnerability from fkie_nvd - Published: 2025-09-03 09:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA3F4CF0-C52D-4EC7-AEA3-4B49F30F0B9C",
"versionEndExcluding": "3.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.\n\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"id": "CVE-2024-43115",
"lastModified": "2025-11-04T22:16:03.113",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-03T09:15:34.047",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-43202
Vulnerability from fkie_nvd - Published: 2024-08-20 08:15 - Updated: 2025-03-18 15:57
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://github.com/apache/dolphinscheduler/pull/15758 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 | Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh | Vendor Advisory | |
| security@apache.org | https://www.cve.org/CVERecord?id=CVE-2023-49109 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/08/20/2 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EC3473-58C8-4963-B966-C494C50DC5E7",
"versionEndExcluding": "3.2.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
},
{
"lang": "es",
"value": "Exposici\u00f3n de la ejecuci\u00f3n remota de c\u00f3digo en Apache Dolphinscheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.2. Recomendamos a los usuarios que actualicen Apache DolphinScheduler a la versi\u00f3n 3.2.2, que soluciona el problema."
}
],
"id": "CVE-2024-43202",
"lastModified": "2025-03-18T15:57:37.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-20T08:15:05.240",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-30188
Vulnerability from fkie_nvd - Published: 2024-08-12 13:38 - Updated: 2025-03-13 14:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.
This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5F0BE24-AE50-493E-825B-71C793B910EC",
"versionEndExcluding": "3.2.2",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de lectura y escritura de archivos en Apache DolphinScheduler, los usuarios autenticados pueden acceder ilegalmente a archivos de recursos adicionales. Este problema afecta a Apache DolphinScheduler: desde 3.1.0 antes de 3.2.2. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.2.2, que soluciona el problema."
}
],
"id": "CVE-2024-30188",
"lastModified": "2025-03-13T14:15:25.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-12T13:38:19.727",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-29831
Vulnerability from fkie_nvd - Published: 2024-08-12 13:38 - Updated: 2025-03-18 15:56
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/08/09/6 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA3F4CF0-C52D-4EC7-AEA3-4B49F30F0B9C",
"versionEndExcluding": "3.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache DolphinScheduler. Un usuario autenticado puede hacer que se ejecute JavaScript arbitrario y sin espacio aislado en el servidor. Si est\u00e1 utilizando el complemento de cambio de tarea, actualice a la versi\u00f3n 3.2.2."
}
],
"id": "CVE-2024-29831",
"lastModified": "2025-03-18T15:56:38.357",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-12T13:38:18.560",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-23320
Vulnerability from fkie_nvd - Published: 2024-02-23 17:15 - Updated: 2025-03-18 17:54
Severity ?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA8D19E0-BC4F-4F9C-A389-BB4D41183206",
"versionEndExcluding": "3.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache DolphinScheduler. Un usuario autenticado puede hacer que se ejecute JavaScript arbitrario y sin espacio aislado en el servidor. Este problema es un legado de CVE-2023-49299. No lo solucionamos por completo en CVE-2023-49299 y agregamos un parche m\u00e1s para solucionarlo. Este problema afecta a Apache DolphinScheduler: hasta 3.2.1. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.2.1, que soluciona el problema."
}
],
"id": "CVE-2024-23320",
"lastModified": "2025-03-18T17:54:12.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-23T17:15:08.570",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-49250
Vulnerability from fkie_nvd - Published: 2024-02-20 10:15 - Updated: 2025-03-18 17:37
Severity ?
Summary
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.0.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/02/20/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://github.com/apache/dolphinscheduler/pull/15288 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/02/20/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/dolphinscheduler/pull/15288 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA8D19E0-BC4F-4F9C-A389-BB4D41183206",
"versionEndExcluding": "3.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\n\nThis issue affects Apache DolphinScheduler: before 3.2.0.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
},
{
"lang": "es",
"value": "Debido a que la clase HttpUtils no verific\u00f3 los certificados, un atacante que pudiera realizar un ataque Man-in-the-Middle (MITM) en conexiones https salientes podr\u00eda hacerse pasar por el servidor. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.2.1, que soluciona el problema."
}
],
"id": "CVE-2023-49250",
"lastModified": "2025-03-18T17:37:50.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T10:15:08.040",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-51770
Vulnerability from fkie_nvd - Published: 2024-02-20 10:15 - Updated: 2025-03-27 17:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/02/20/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://github.com/apache/dolphinscheduler/pull/15433 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g | Mailing List, Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/02/20/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/dolphinscheduler/pull/15433 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E02B1F7-DA39-44B8-B3C6-0A2056461C0A",
"versionEndExcluding": "3.2.1",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de lectura de archivos arbitrarios en Apache Dolphinscheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.1. Recomendamos a los usuarios que actualicen Apache DolphinScheduler a la versi\u00f3n 3.2.1, que soluciona el problema."
}
],
"id": "CVE-2023-51770",
"lastModified": "2025-03-27T17:15:41.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T10:15:08.243",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-50270
Vulnerability from fkie_nvd - Published: 2024-02-20 10:15 - Updated: 2025-03-18 17:38
Severity ?
Summary
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://github.com/apache/dolphinscheduler/pull/15219 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6 | Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r | Vendor Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2024/02/20/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/dolphinscheduler/pull/15219 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2024/02/20/3 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7870A4CC-1A8D-4E9A-9302-F31B465A8C20",
"versionEndExcluding": "3.2.1",
"versionStartIncluding": "1.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
},
{
"lang": "es",
"value": "Correcci\u00f3n de sesi\u00f3n de Apache DolphinScheduler anterior a la versi\u00f3n 3.2.0, cuya sesi\u00f3n sigue siendo v\u00e1lida despu\u00e9s del cambio de contrase\u00f1a. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.2.1, que soluciona este problema."
}
],
"id": "CVE-2023-50270",
"lastModified": "2025-03-18T17:38:29.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T10:15:08.140",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-49109
Vulnerability from fkie_nvd - Published: 2024-02-20 10:15 - Updated: 2025-03-18 17:37
Severity ?
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/02/20/4 | Mailing List, Third Party Advisory | |
| security@apache.org | https://github.com/apache/dolphinscheduler/pull/14991 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8 | Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/02/20/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/dolphinscheduler/pull/14991 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | dolphinscheduler | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39833A23-5C26-4210-8BEE-54C3195A4A3C",
"versionEndExcluding": "3.2.1",
"versionStartIncluding": "3.0.0 ",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. "
},
{
"lang": "es",
"value": "Exposici\u00f3n de la ejecuci\u00f3n remota de c\u00f3digo en Apache Dolphinscheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.1. Recomendamos a los usuarios que actualicen Apache DolphinScheduler a la versi\u00f3n 3.2.1, que soluciona el problema."
}
],
"id": "CVE-2023-49109",
"lastModified": "2025-03-18T17:37:00.060",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T10:15:07.927",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
CVE-2024-43166 (GCVE-0-2024-43166)
Vulnerability from cvelistv5 – Published: 2025-09-03 09:10 – Updated: 2025-11-04 21:08
VLAI?
Summary
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(maven)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:44:48.062064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:19.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:48.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Default Permissions vulnerability in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T09:10:24.401Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43166",
"datePublished": "2025-09-03T09:10:24.401Z",
"dateReserved": "2024-08-07T10:39:22.903Z",
"dateUpdated": "2025-11-04T21:08:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43115 (GCVE-0-2024-43115)
Vulnerability from cvelistv5 – Published: 2025-09-03 08:38 – Updated: 2025-11-04 21:08
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:45:02.888615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:24.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:47.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can execute any shell script server by alert script.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.\n\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T08:38:32.442Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Alert Script Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43115",
"datePublished": "2025-09-03T08:38:32.442Z",
"dateReserved": "2024-08-07T06:13:30.951Z",
"dateUpdated": "2025-11-04T21:08:47.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43202 (GCVE-0-2024-43202)
Vulnerability from cvelistv5 – Published: 2024-08-20 07:29 – Updated: 2024-08-20 15:02
VLAI?
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
|
Credits
an4er
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:06:20.819939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:13:41.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-20T15:02:42.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "an4er"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.2. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T07:29:43.170Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43202",
"datePublished": "2024-08-20T07:29:43.170Z",
"dateReserved": "2024-08-07T15:30:55.296Z",
"dateUpdated": "2024-08-20T15:02:42.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30188 (GCVE-0-2024-30188)
Vulnerability from cvelistv5 – Published: 2024-08-09 14:23 – Updated: 2025-03-13 14:01
VLAI?
Summary
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.
This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
|
Credits
L0ne1y
drun1baby
Zevi
Xun Bai
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:52.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T14:25:59.911467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:01:49.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "drun1baby"
},
{
"lang": "en",
"type": "reporter",
"value": "Zevi"
},
{
"lang": "en",
"type": "reporter",
"value": "Xun Bai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u0026nbsp; authenticated users can illegally access additional resource files.\u003cbr\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:23:27.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Resource File Read And Write Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30188",
"datePublished": "2024-08-09T14:23:27.823Z",
"dateReserved": "2024-03-25T09:58:24.854Z",
"dateUpdated": "2025-03-13T14:01:49.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29831 (GCVE-0-2024-29831)
Vulnerability from cvelistv5 – Published: 2024-08-09 14:21 – Updated: 2024-08-12 17:49
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.1
(semver)
|
Credits
yerest
L0ne1y
My Long
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:51.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:05:34.308702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:49:00.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yerest"
},
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "My Long"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:21:48.184Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: RCE by arbitrary js execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29831",
"datePublished": "2024-08-09T14:21:48.184Z",
"dateReserved": "2024-03-20T09:51:46.246Z",
"dateUpdated": "2024-08-12T17:49:00.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23320 (GCVE-0-2024-23320)
Vulnerability from cvelistv5 – Published: 2024-02-23 16:57 – Updated: 2025-02-13 17:39
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.1
(semver)
|
Credits
xuesong.zhou
Nbxiglk
Huang Atao
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:27:33.967939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:29:05.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-master",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xuesong.zhou"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
},
{
"lang": "en",
"type": "finder",
"value": "Huang Atao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.2.1.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T17:00:13.617Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execution as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23320",
"datePublished": "2024-02-23T16:57:09.741Z",
"dateReserved": "2024-01-15T10:49:33.393Z",
"dateUpdated": "2025-02-13T17:39:41.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51770 (GCVE-0-2023-51770)
Vulnerability from cvelistv5 – Published: 2024-02-20 10:02 – Updated: 2025-03-27 16:50
VLAI?
Summary
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.2.0 , < 3.2.1
(semver)
|
Credits
zhiwei
rg
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:29:47.005332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:50:01.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-datasource-mysql",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zhiwei"
},
{
"lang": "en",
"type": "finder",
"value": "rg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:05:08.798Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51770",
"datePublished": "2024-02-20T10:02:12.991Z",
"dateReserved": "2023-12-25T03:43:07.636Z",
"dateUpdated": "2025-03-27T16:50:01.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50270 (GCVE-0-2023-50270)
Vulnerability from cvelistv5 – Published: 2024-02-20 10:01 – Updated: 2024-08-29 15:08
VLAI?
Summary
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.3.8 , ≤ 3.2.0
(semver)
|
Credits
lujiefsi
Qing Xu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:07:02.901267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:08:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lujiefsi"
},
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T10:17:35.425Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Session do not expire after password change",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50270",
"datePublished": "2024-02-20T10:01:32.260Z",
"dateReserved": "2023-12-06T02:25:09.094Z",
"dateUpdated": "2024-08-29T15:08:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49250 (GCVE-0-2023-49250)
Vulnerability from cvelistv5 – Published: 2024-02-20 10:00 – Updated: 2025-02-13 17:18
VLAI?
Summary
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.0.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.3.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:2.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "1.0.5"
},
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.3.9"
},
{
"status": "affected",
"version": "2.0.9"
},
{
"status": "affected",
"version": "3.0.6"
},
{
"status": "affected",
"version": "3.1.9"
},
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T15:17:49.511453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T15:29:23.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-common",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\n\nThis issue affects Apache DolphinScheduler: before 3.2.0.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:05:05.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49250",
"datePublished": "2024-02-20T10:00:06.733Z",
"dateReserved": "2023-11-24T11:02:09.324Z",
"dateUpdated": "2025-02-13T17:18:36.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49109 (GCVE-0-2023-49109)
Vulnerability from cvelistv5 – Published: 2024-02-20 09:58 – Updated: 2025-02-13 17:18
VLAI?
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.1
(semver)
|
Credits
Y4tacker and 4ra1n from Y4secTeam
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:21:40.896739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T17:51:16.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4tacker and 4ra1n from Y4secTeam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:00:07.687Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in Apache Dolphinscheduler",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49109",
"datePublished": "2024-02-20T09:58:56.779Z",
"dateReserved": "2023-11-22T08:14:39.874Z",
"dateUpdated": "2025-02-13T17:18:34.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43166 (GCVE-0-2024-43166)
Vulnerability from nvd – Published: 2025-09-03 09:10 – Updated: 2025-11-04 21:08
VLAI?
Summary
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(maven)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:44:48.062064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:19.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:48.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Default Permissions vulnerability in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T09:10:24.401Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43166",
"datePublished": "2025-09-03T09:10:24.401Z",
"dateReserved": "2024-08-07T10:39:22.903Z",
"dateUpdated": "2025-11-04T21:08:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43115 (GCVE-0-2024-43115)
Vulnerability from nvd – Published: 2025-09-03 08:38 – Updated: 2025-11-04 21:08
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:45:02.888615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:24.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:47.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can execute any shell script server by alert script.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.\n\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T08:38:32.442Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Alert Script Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43115",
"datePublished": "2025-09-03T08:38:32.442Z",
"dateReserved": "2024-08-07T06:13:30.951Z",
"dateUpdated": "2025-11-04T21:08:47.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43202 (GCVE-0-2024-43202)
Vulnerability from nvd – Published: 2024-08-20 07:29 – Updated: 2024-08-20 15:02
VLAI?
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
|
Credits
an4er
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:06:20.819939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:13:41.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-20T15:02:42.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "an4er"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.2. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T07:29:43.170Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43202",
"datePublished": "2024-08-20T07:29:43.170Z",
"dateReserved": "2024-08-07T15:30:55.296Z",
"dateUpdated": "2024-08-20T15:02:42.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30188 (GCVE-0-2024-30188)
Vulnerability from nvd – Published: 2024-08-09 14:23 – Updated: 2025-03-13 14:01
VLAI?
Summary
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.
This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
|
Credits
L0ne1y
drun1baby
Zevi
Xun Bai
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:52.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T14:25:59.911467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:01:49.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "drun1baby"
},
{
"lang": "en",
"type": "reporter",
"value": "Zevi"
},
{
"lang": "en",
"type": "reporter",
"value": "Xun Bai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u0026nbsp; authenticated users can illegally access additional resource files.\u003cbr\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:23:27.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Resource File Read And Write Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30188",
"datePublished": "2024-08-09T14:23:27.823Z",
"dateReserved": "2024-03-25T09:58:24.854Z",
"dateUpdated": "2025-03-13T14:01:49.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29831 (GCVE-0-2024-29831)
Vulnerability from nvd – Published: 2024-08-09 14:21 – Updated: 2024-08-12 17:49
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.1
(semver)
|
Credits
yerest
L0ne1y
My Long
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:51.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:05:34.308702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:49:00.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yerest"
},
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "My Long"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:21:48.184Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: RCE by arbitrary js execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29831",
"datePublished": "2024-08-09T14:21:48.184Z",
"dateReserved": "2024-03-20T09:51:46.246Z",
"dateUpdated": "2024-08-12T17:49:00.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23320 (GCVE-0-2024-23320)
Vulnerability from nvd – Published: 2024-02-23 16:57 – Updated: 2025-02-13 17:39
VLAI?
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.1
(semver)
|
Credits
xuesong.zhou
Nbxiglk
Huang Atao
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:27:33.967939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:29:05.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-master",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xuesong.zhou"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
},
{
"lang": "en",
"type": "finder",
"value": "Huang Atao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.2.1.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T17:00:13.617Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execution as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23320",
"datePublished": "2024-02-23T16:57:09.741Z",
"dateReserved": "2024-01-15T10:49:33.393Z",
"dateUpdated": "2025-02-13T17:39:41.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51770 (GCVE-0-2023-51770)
Vulnerability from nvd – Published: 2024-02-20 10:02 – Updated: 2025-03-27 16:50
VLAI?
Summary
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.2.0 , < 3.2.1
(semver)
|
Credits
zhiwei
rg
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:29:47.005332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:50:01.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-datasource-mysql",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zhiwei"
},
{
"lang": "en",
"type": "finder",
"value": "rg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:05:08.798Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51770",
"datePublished": "2024-02-20T10:02:12.991Z",
"dateReserved": "2023-12-25T03:43:07.636Z",
"dateUpdated": "2025-03-27T16:50:01.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50270 (GCVE-0-2023-50270)
Vulnerability from nvd – Published: 2024-02-20 10:01 – Updated: 2024-08-29 15:08
VLAI?
Summary
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.3.8 , ≤ 3.2.0
(semver)
|
Credits
lujiefsi
Qing Xu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:07:02.901267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:08:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lujiefsi"
},
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T10:17:35.425Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Session do not expire after password change",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50270",
"datePublished": "2024-02-20T10:01:32.260Z",
"dateReserved": "2023-12-06T02:25:09.094Z",
"dateUpdated": "2024-08-29T15:08:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49250 (GCVE-0-2023-49250)
Vulnerability from nvd – Published: 2024-02-20 10:00 – Updated: 2025-02-13 17:18
VLAI?
Summary
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.0.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:1.3.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:2.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:dolphinscheduler:3.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "1.0.5"
},
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.3.9"
},
{
"status": "affected",
"version": "2.0.9"
},
{
"status": "affected",
"version": "3.0.6"
},
{
"status": "affected",
"version": "3.1.9"
},
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T15:17:49.511453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T15:29:23.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-common",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.\n\nThis issue affects Apache DolphinScheduler: before 3.2.0.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:05:05.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15288"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wgs2jvhbmq8xnd6rmg0ymz73nyj7b3qn"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49250",
"datePublished": "2024-02-20T10:00:06.733Z",
"dateReserved": "2023-11-24T11:02:09.324Z",
"dateUpdated": "2025-02-13T17:18:36.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49109 (GCVE-0-2023-49109)
Vulnerability from nvd – Published: 2024-02-20 09:58 – Updated: 2025-02-13 17:18
VLAI?
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.1
(semver)
|
Credits
Y4tacker and 4ra1n from Y4secTeam
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:21:40.896739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T17:51:16.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4tacker and 4ra1n from Y4secTeam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:00:07.687Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/14991"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in Apache Dolphinscheduler",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49109",
"datePublished": "2024-02-20T09:58:56.779Z",
"dateReserved": "2023-11-22T08:14:39.874Z",
"dateUpdated": "2025-02-13T17:18:34.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}