Latest apache dolphinscheduler Vulnerabilities

CVE-2023-49299
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
maven/org.apache.dolphinscheduler:dolphinscheduler-master<3.1.9
Apache DolphinScheduler<3.1.9
<3.1.9
CVE-2023-49620
Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
Apache DolphinScheduler<3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler-service<3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler-dao<3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler-common<3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler-api<3.1.0
CVE-2023-49068
Apache DolphinScheduler: Information Leakage Vulnerability
maven/org.apache.dolphinscheduler:dolphinscheduler-api<3.2.1
Apache DolphinScheduler<3.2.1
CVE-2022-45875
Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
Apache DolphinScheduler<3.0.2
Apache DolphinScheduler=3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler=3.1.0
maven/org.apache.dolphinscheduler:dolphinscheduler<3.0.2
CVE-2022-26885
When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.
Apache DolphinScheduler<2.0.6
CVE-2022-45462
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher
Apache DolphinScheduler<2.0.6
CVE-2022-34662
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
Apache DolphinScheduler<3.0.0
CVE-2022-26884
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
Apache DolphinScheduler<2.0.6
CVE-2022-25598
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.
Apache DolphinScheduler<2.0.5
CVE-2021-27644
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
Apache DolphinScheduler<1.3.6
CVE-2020-13922
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.
Apache DolphinScheduler=1.2.0
Apache DolphinScheduler=1.2.1
Apache DolphinScheduler=1.3.1
maven/org.apache.dolphinscheduler:dolphinscheduler<1.3.2
CVE-2020-11974
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
Apache DolphinScheduler=1.2.0
Apache DolphinScheduler=1.2.1
maven/org.apache.dolphinscheduler:dolphinscheduler<1.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203