CVE-2022-45875

CWE-20 — Improper Input Validation5 documents4 sources

Severity

9.8CRITICAL

EPSS

3.4%

top 12.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Dolphinscheduler Apache Software Foundation Apache Dolphinscheduler

Timeline

PublishedJan 4

Description

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDapache/dolphinscheduler< 3.0.2+1

▶PyPIapache-dolphinscheduler< 3.0.2

▶Mavenorg.apache.dolphinscheduler:dolphinscheduler3.1.0 — 3.1.1+1

▶CVEListV5apache_software_foundation/apache_dolphinscheduler3.0 — 3.0.1+1

🔴Vulnerability Details

CVEList

Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin↗2023-01-04

▶

GHSA

Apache DolphinScheduler vulnerable to Improper Input Validation↗2023-01-04

▶

OSV

Apache DolphinScheduler vulnerable to Improper Input Validation↗2023-01-04

▶

OSV

CVE-2022-45875: Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability↗2023-01-04

▶