Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dolphinscheduler
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-01-04 | CVE-2022-45875 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS. | Dolphinscheduler | 9.8 | ||
| 2023-04-20 | CVE-2023-25601 | On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above. | Dolphinscheduler | 4.3 | ||
| 2023-11-24 | CVE-2023-48796 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: ... | Dolphinscheduler | 7.5 | ||
| 2023-12-30 | CVE-2023-49299 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue. | Dolphinscheduler | 8.8 | ||
| 2024-02-20 | CVE-2023-51770 | Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. | Dolphinscheduler | 7.5 | ||
| 2021-01-11 | CVE-2020-13922 | Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | Dolphinscheduler | 6.5 | ||
| 2021-11-01 | CVE-2021-27644 | In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | Dolphinscheduler | 8.8 | ||
| 2022-03-30 | CVE-2022-25598 | Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | Dolphinscheduler | 7.5 | ||
| 2022-10-28 | CVE-2022-26884 | Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | Dolphinscheduler | 6.5 | ||
| 2022-11-01 | CVE-2022-34662 | When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | Dolphinscheduler | 6.5 |