Apache Dolphinscheduler vulnerabilities

CVE-2022-34662 [MEDIUM] CWE-22 CVE-2022-34662: When users add resources to the resource center with a relation path will cause path traversal issue When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

CVE-2022-26884 [MEDIUM] CWE-22 CVE-2022-26884: Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0. Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.

CVE-2022-25598 [HIGH] CWE-1333 CVE-2022-25598: Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

CVE-2021-27644 [HIGH] CWE-264 CVE-2021-27644: In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2020-13922 [MEDIUM] CWE-264 CVE-2020-13922: Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to over Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

CVE-2020-11974 [CRITICAL] CVE-2020-11974: In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exi In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.