Apache Dolphinscheduler vulnerabilities

CVE-2024-43166 [CRITICAL] CWE-276 CVE-2024-43166: Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache D Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

CVE-2024-43115 [HIGH] CWE-20 CVE-2024-43115: Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execut Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

CVE-2024-43202 [CRITICAL] CWE-94 CVE-2024-43202: Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinSche Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.

CVE-2024-30188 [HIGH] CWE-20 CVE-2024-30188: File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally ac File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.

CVE-2024-29831 [HIGH] CWE-20 CVE-2024-29831: Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

CVE-2024-23320 [HIGH] CVE-2024-23320: Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are

CVE-2023-49109 [CRITICAL] CWE-94 CVE-2023-49109: Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinSche Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

CVE-2023-49250 [HIGH] CWE-295 CVE-2023-49250: Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue.

CVE-2023-51770 [HIGH] CWE-94 CVE-2023-51770: Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinSche Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

CVE-2023-50270 [MEDIUM] CWE-613 CVE-2023-50270: Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after th Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CVE-2023-49299 [HIGH] CWE-20 CVE-2023-49299: Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue.

CVE-2023-49620 [MEDIUM] CWE-862 CVE-2023-49620: Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource cent Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version

CVE-2023-49068 [HIGH] CWE-200 CVE-2023-49068: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you m

CVE-2023-48796 [HIGH] CWE-200 CVE-2023-48796: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheu

CVE-2023-25601 [MEDIUM] CWE-287 CVE-2023-25601: On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper auth On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-

CVE-2022-45875 [CRITICAL] CWE-20 CVE-2022-45875: Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote com Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

CVE-2022-26885 [HIGH] CWE-200 CVE-2022-26885: When using tasks to read config files, there is a risk of database password disclosure. We recommend When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.

CVE-2022-45462 [CRITICAL] CWE-77 CVE-2022-45462: Alarm instance management has command injection when there is a specific command configured. It is o Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

CVE-2022-34662 [MEDIUM] CWE-22 CVE-2022-34662: When users add resources to the resource center with a relation path will cause path traversal issue When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

CVE-2022-26884 [MEDIUM] CWE-22 CVE-2022-26884: Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0. Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.