Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dolphinscheduler
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-02-20 | CVE-2023-51770 | Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. | Dolphinscheduler | 7.5 | ||
| 2021-01-11 | CVE-2020-13922 | Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | Dolphinscheduler | 6.5 | ||
| 2021-11-01 | CVE-2021-27644 | In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | Dolphinscheduler | 8.8 | ||
| 2022-03-30 | CVE-2022-25598 | Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | Dolphinscheduler | 7.5 | ||
| 2022-10-28 | CVE-2022-26884 | Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | Dolphinscheduler | 6.5 | ||
| 2022-11-01 | CVE-2022-34662 | When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | Dolphinscheduler | 6.5 | ||
| 2022-11-23 | CVE-2022-45462 | Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher | Dolphinscheduler | 9.8 | ||
| 2022-11-24 | CVE-2022-26885 | When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. | Dolphinscheduler | 7.5 | ||
| 2023-01-04 | CVE-2022-45875 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS. | Dolphinscheduler | 9.8 | ||
| 2023-04-20 | CVE-2023-25601 | On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above. | Dolphinscheduler | 4.3 |