CVE-2023-49299 – Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
https://notcve.org/view.php?id=CVE-2023-49299
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache DolphinScheduler. Un usuario autenticado puede hacer que se ejecute javascript arbitrario y sin espacio aislado en el servidor. Este problema afecta a Apache DolphinScheduler: hasta 3.1.9. • http://www.openwall.com/lists/oss-security/2024/02/23/3 https://github.com/apache/dolphinscheduler/pull/15228 https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm • CWE-20: Improper Input Validation •
CVE-2023-49620 – Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for
https://notcve.org/view.php?id=CVE-2023-49620
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability Antes de la versión 3.1.0 de DolphinScheduler, el usuario que iniciaba sesión podía eliminar la función UDF en el centro de recursos sin autorización (que casi se usaba en tareas SQL), con vulnerabilidad de acceso no autorizado (IDOR), pero después de la versión 3.1.0 solucionamos este problema. Marcamos esta cve como nivel moderado porque todavía requiere el inicio de sesión del usuario para funcionar. Actualice a la versión 3.1.0 para evitar esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2023/11/30/4 https://github.com/apache/dolphinscheduler/pull/10307 https://lists.apache.org/thread/zm4t1ykj4cro1c8183q7y32z0yzfz8yj • CWE-862: Missing Authorization •
CVE-2023-49068 – Apache DolphinScheduler: Information Leakage Vulnerability
https://notcve.org/view.php?id=CVE-2023-49068
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Apache DolphinScheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.1. • https://github.com/apache/dolphinscheduler/pull/15192 https://lists.apache.org/thread/jn6kr6mjdgtfgpxoq9j8q4pkfsq8zmpq • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-48796 – Apache dolphinscheduler sensitive information disclosure
https://notcve.org/view.php?id=CVE-2023-48796
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Apache DolphinScheduler. La información expuesta a actores no autorizados puede incluir datos confidenciales, como credenciales de bases de datos. Los usuarios que no pueden actualizar a la versión fija también pueden configurar la variable de entorno `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` para solucionar este problema, o agregar la siguiente sección en el archivo ``application.yaml` ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` Este problema afecta a Apache DolphinScheduler: desde 3.0.0 antes de 3.0.2. Se recomienda a los usuarios actualizar a la versión 3.0.2, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2023/11/24/1 https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-25601 – Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication
https://notcve.org/view.php?id=CVE-2023-25601
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above. • http://www.openwall.com/lists/oss-security/2023/04/20/10 https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf • CWE-287: Improper Authentication •