CVE-2021-27644

CWE-264 CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGH

EPSS

2.1%

top 15.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dolphinscheduler Apache Dolphinscheduler

Timeline

PublishedNov 1

Latest updateNov 3

Description

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/dolphinscheduler< 1.3.6

▶CVEListV5apache_software_foundation/apache_dolphinschedulerApache DolphinScheduler — 1.3.6

▶Mavenorg.apache.dolphinscheduler:dolphinscheduler-server< 1.3.6

🔴Vulnerability Details

GHSA

SQL injection in Apache DolphinScheduler↗2021-11-03

▶

OSV

SQL injection in Apache DolphinScheduler↗2021-11-03

▶

CVEList

DolphinScheduler mysql jdbc connector parameters deserialize remote code execution↗2021-11-01

▶