CVE-2022-45875
Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.
This attack can be performed only by authenticated users which can login to DS.
Validación incorrecta de los parámetros del complemento de alerta de script en Apache DolphinScheduler para evitar la vulnerabilidad de ejecución remota de comandos. Este problema afecta a Apache DolphinScheduler versión 3.0.1 y versiones anteriores; versión 3.1.0 y versiones anteriores. Este ataque solo lo pueden realizar usuarios autenticados que puedan iniciar sesión en DS.
*Credits:
4ra1n of Chaitin Tech
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-11-24 CVE Reserved
- 2023-01-04 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2023/11/22/2 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r | 2023-11-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Dolphinscheduler Search vendor "Apache" for product "Dolphinscheduler" | < 3.0.2 Search vendor "Apache" for product "Dolphinscheduler" and version " < 3.0.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Dolphinscheduler Search vendor "Apache" for product "Dolphinscheduler" | 3.1.0 Search vendor "Apache" for product "Dolphinscheduler" and version "3.1.0" | - |
Affected
|