CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49299 – Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
https://notcve.org/view.php?id=CVE-2023-49299
30 Dec 2023 — Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache DolphinScheduler. Un usuario autenticado puede hacer que se ejecute javascript arbitrario y sin espacio aislado en el servidor. • http://www.openwall.com/lists/oss-security/2024/02/23/3 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49620 – Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
https://notcve.org/view.php?id=CVE-2023-49620
30 Nov 2023 — Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability Antes de la versión 3.1.0 de DolphinScheduler, el usuario que iniciaba sesión podía eliminar la función UDF en el centro de rec... • http://www.openwall.com/lists/oss-security/2023/11/30/4 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49068 – Apache DolphinScheduler: Information Leakage Vulnerability
https://notcve.org/view.php?id=CVE-2023-49068
27 Nov 2023 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Apache DolphinS... • https://github.com/apache/dolphinscheduler/pull/15192 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2022-45875 – Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
https://notcve.org/view.php?id=CVE-2022-45875
04 Jan 2023 — Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS. Validación incorrecta de los parámetros del complemento de alerta de script en Apache DolphinScheduler para evitar la vulnerabilidad de ejecución remota de comandos. Este problema afecta a Ap... • http://www.openwall.com/lists/oss-security/2023/11/22/2 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26885 – Apache DolphinScheduler config file read by task risk
https://notcve.org/view.php?id=CVE-2022-26885
24 Nov 2022 — When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. Cuando se utilizan tareas para leer archivos de configuración, existe el riesgo de que se revele la contraseña de la base de datos. Le recomendamos actualizar a la versión 2.0.6 o superior. • https://lists.apache.org/thread/z7084r9cs2r26cszkkgjqpb5bhnxqssp •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2022-45462 – Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability
https://notcve.org/view.php?id=CVE-2022-45462
23 Nov 2022 — Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher Alarm instance management tiene inyección de comandos cuando hay un comando específico configurado. Es sólo para usuarios registrados. Le recomendamos actualizar a la versión 2.0.6 o superior. • http://www.openwall.com/lists/oss-security/2022/11/23/1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34662 – Apache DolphinScheduler prior to 3.0.0 allows path traversal
https://notcve.org/view.php?id=CVE-2022-34662
01 Nov 2022 — When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher Cuando los usuarios agregan recursos al centro de recursos con una ruta de relación, se producirán problemas de path traversal y solo para los usuarios que hayan iniciado sesión. Podrías actualizar a la versión 3.0.0 o superior. • http://www.openwall.com/lists/oss-security/2022/11/01/13 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26884 – Apache DolphinScheduler exposes files without authentication
https://notcve.org/view.php?id=CVE-2022-26884
28 Oct 2022 — Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. Los usuarios pueden leer cualquier archivo mediante el servidor de registro; los usuarios de Apache DolphinScheduler deben actualizar a la versión 2.0.6 o superior. • http://www.openwall.com/lists/oss-security/2022/10/28/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-25598 – Apache DolphinScheduler user registration is vulnerable to ReDoS attacks
https://notcve.org/view.php?id=CVE-2022-25598
30 Mar 2022 — Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. El registro de usuarios de Apache DolphinScheduler es vulnerable a ataques de Denegación de Servicio de Expresión Regular (ReDoS), los usuarios de Apache DolphinScheduler deben actualizar a versión 2.0.5 o superior • https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 0CVE-2021-27644 – DolphinScheduler mysql jdbc connector parameters deserialize remote code execution
https://notcve.org/view.php?id=CVE-2021-27644
01 Nov 2021 — In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) En Apache DolphinScheduler versiones anteriores a 1.3.6, los usuarios autorizados pueden usar una inyección SQL en el centro de origen de datos. (Sólo aplicable a la fuente de datos MySQL con la contraseña de la cuenta de inicio de sesión interna) • http://www.openwall.com/lists/oss-security/2021/11/01/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-264: Permissions, Privileges, and Access Controls •