Search
Find a vulnerability
Search criteria
62 vulnerabilities found for Apache DolphinScheduler by Apache Software Foundation
CVE-2026-47340 (GCVE-0-2026-47340)
Vulnerability from nvd – Published: 2026-06-17 09:00 – Updated: 2026-06-17 15:37
VLAI
Title
Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
Summary
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:13.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-47340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:37:14.740417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:37:28.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thesecguy45@gmail.com"
},
{
"lang": "en",
"type": "finder",
"value": "udolemi (S2W)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:00:12.475Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gx6v1wjb6qg3fzksxomysspy2gw54ooc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-47340",
"datePublished": "2026-06-17T09:00:12.475Z",
"dateReserved": "2026-05-19T11:34:37.241Z",
"dateUpdated": "2026-06-17T15:37:28.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42357 (GCVE-0-2026-42357)
Vulnerability from nvd – Published: 2026-06-17 08:56 – Updated: 2026-06-17 15:35
VLAI
Title
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Summary
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:04.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:35:00.281861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:35:11.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yicheng Yu(https://github.com/FHMTT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.2.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2.\n\n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:56:55.154Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/74l2rrz32w2chn7vz64313gk7ox5wjtr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42357",
"datePublished": "2026-06-17T08:56:55.154Z",
"dateReserved": "2026-04-26T14:44:49.319Z",
"dateUpdated": "2026-06-17T15:35:11.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41280 (GCVE-0-2026-41280)
Vulnerability from nvd – Published: 2026-06-17 08:55 – Updated: 2026-06-17 11:06
VLAI
Title
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Summary
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:02.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-41280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T11:05:58.721556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:06:01.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yicheng Yu(https://github.com/FHMTT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.2. \u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2. \n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:55:29.988Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41280",
"datePublished": "2026-06-17T08:55:29.988Z",
"dateReserved": "2026-04-19T05:17:56.571Z",
"dateUpdated": "2026-06-17T11:06:01.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32967 (GCVE-0-2026-32967)
Vulnerability from nvd – Published: 2026-06-17 08:57 – Updated: 2026-06-17 15:36
VLAI
Title
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Summary
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:39:53.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:36:08.328619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:36:12.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b0b0haha (603571786@qq.com)"
},
{
"lang": "en",
"type": "finder",
"value": "j311yl0v3u (2439839508@qq.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:57:55.852Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5o5jrg1snkmrto96wg015wgbh7hyckzc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-32967",
"datePublished": "2026-06-17T08:57:55.852Z",
"dateReserved": "2026-03-17T01:51:58.417Z",
"dateUpdated": "2026-06-17T15:36:12.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32966 (GCVE-0-2026-32966)
Vulnerability from nvd – Published: 2026-06-17 08:43 – Updated: 2026-06-17 15:34
VLAI
Title
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Summary
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:39:51.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:34:00.767997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:34:06.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b0b0haha (603571786@qq.com)"
},
{
"lang": "en",
"type": "finder",
"value": "j311yl0v3u (2439839508@qq.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:43:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4f1fojpj26z9y5nd1ko845gcknpn75g2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-32966",
"datePublished": "2026-06-17T08:43:11.566Z",
"dateReserved": "2026-03-17T01:50:30.908Z",
"dateUpdated": "2026-06-17T15:34:06.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23902 (GCVE-0-2026-23902)
Vulnerability from nvd – Published: 2026-04-24 10:56 – Updated: 2026-04-24 18:33
VLAI
Title
Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
Summary
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler versions prior to 3.4.1.
Users are recommended to upgrade to version 3.4.1, which fixes this issue.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-24T11:28:42.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:25:12.669237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:33:34.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jihang Yu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.1, which fixes this issue.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u00a0\n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T10:56:18.289Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23902",
"datePublished": "2026-04-24T10:56:18.289Z",
"dateReserved": "2026-01-18T04:07:20.514Z",
"dateUpdated": "2026-04-24T18:33:34.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62233 (GCVE-0-2025-62233)
Vulnerability from nvd – Published: 2026-04-24 10:54 – Updated: 2026-04-24 16:09
VLAI
Title
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Summary
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.
This issue affects Apache DolphinScheduler:
Version >= 3.2.0 and < 3.3.1.
Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.
Users are recommended to upgrade to version [3.3.1], which fixes the issue.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.2.0 , < 3.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-24T11:28:22.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:09:54.360016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:09:59.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-extract-base",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "75Acol, fcgboy, ch0wn, zer0duck"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler:\u0026nbsp;\u003c/p\u003e\u003cp\u003eVersion \u0026gt;= 3.2.0 and \u0026lt; 3.3.1.\u003c/p\u003eAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version [3.3.1], which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion \u003e= 3.2.0 and \u003c 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T10:54:55.162Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Deserialization of untrusted data in RPC",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-62233",
"datePublished": "2026-04-24T10:54:55.162Z",
"dateReserved": "2025-10-09T12:40:17.778Z",
"dateUpdated": "2026-04-24T16:09:59.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62188 (GCVE-0-2025-62188)
Vulnerability from nvd – Published: 2026-04-09 09:27 – Updated: 2026-04-09 13:57
VLAI
Title
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Summary
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.
This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.
This issue affects Apache DolphinScheduler versions 3.1.*.
Users are recommended to upgrade to:
* version ≥ 3.2.0 if using 3.1.x
As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:
```
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus
```
Alternatively, add the following configuration to the application.yaml file:
```
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
```
This issue has been reported as CVE-2023-48796:
https://cveprocess.apache.org/cve5/CVE-2023-48796
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/ffrmkcwgr2lcz0f5n… | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2023-48796 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T13:57:14.827090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T13:57:33.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.0",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "w aiyou"
},
{
"lang": "en",
"type": "reporter",
"value": "\u9b4f\u5927\u521b"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn \u003cstrong\u003eExposure of Sensitive Information to an Unauthorized Actor\u003c/strong\u003e vulnerability exists in Apache DolphinScheduler.\u003cbr\u003e\nThis vulnerability may allow unauthorized actors to access sensitive information, including database credentials.\u003c/p\u003e\n\u003cp\u003eThis issue affects \u003cstrong\u003eApache DolphinScheduler versions 3.1.*\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eUsers are recommended to upgrade to:\u003cbr\u003e\u003c/p\u003e\n\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eversion \u2265 3.2.0\u003c/strong\u003e if using \u003cstrong\u003e3.1.x\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eAs a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:\u003c/p\u003e\n```\u003cbr\u003eMANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus\u003cbr\u003e```\u003cbr\u003e\n\u003cp\u003eAlternatively, add the following configuration to the \u003ccode\u003eapplication.yaml\u003c/code\u003e file:\u003c/p\u003e\n```\u003cbr\u003emanagement:\u003cbr\u003e\u0026nbsp; \u0026nbsp;endpoints:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp;web:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; exposure:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; include: health,metrics,prometheus\u003cbr\u003e```\u003cbr\u003e\n\u003cp\u003eThis issue has been reported as \u003cstrong\u003eCVE-2023-48796\u003c/strong\u003e:\u003cbr\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://cveprocess.apache.org/cve5/CVE-2023-48796\"\u003ehttps://cveprocess.apache.org/cve5/CVE-2023-48796\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.\n\nThis vulnerability may allow unauthorized actors to access sensitive information, including database credentials.\n\n\nThis issue affects Apache DolphinScheduler versions 3.1.*.\n\n\nUsers are recommended to upgrade to:\n\n\n\n\n\n\n\n * version \u2265 3.2.0 if using 3.1.x\n\n\n\n\n\n\nAs a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:\n\n\n```\nMANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus\n```\n\nAlternatively, add the following configuration to the application.yaml file:\n\n\n```\nmanagement:\n\u00a0 \u00a0endpoints:\n\u00a0 \u00a0 \u00a0web:\n\u00a0 \u00a0 \u00a0 \u00a0 exposure:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 include: health,metrics,prometheus\n```\n\nThis issue has been reported as CVE-2023-48796:\n\n https://cveprocess.apache.org/cve5/CVE-2023-48796"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T09:27:13.570Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48796"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-62188",
"datePublished": "2026-04-09T09:27:13.570Z",
"dateReserved": "2025-10-08T15:40:33.512Z",
"dateUpdated": "2026-04-09T13:57:33.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43166 (GCVE-0-2024-43166)
Vulnerability from nvd – Published: 2025-09-03 09:10 – Updated: 2025-11-04 21:08
VLAI
Summary
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(maven)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:44:48.062064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:19.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:48.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Default Permissions vulnerability in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T09:10:24.401Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43166",
"datePublished": "2025-09-03T09:10:24.401Z",
"dateReserved": "2024-08-07T10:39:22.903Z",
"dateUpdated": "2025-11-04T21:08:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43115 (GCVE-0-2024-43115)
Vulnerability from nvd – Published: 2025-09-03 08:38 – Updated: 2025-11-04 21:08
VLAI
Title
Apache DolphinScheduler: Alert Script Attack
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:45:02.888615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:24.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:47.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can execute any shell script server by alert script.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.\n\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T08:38:32.442Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Alert Script Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43115",
"datePublished": "2025-09-03T08:38:32.442Z",
"dateReserved": "2024-08-07T06:13:30.951Z",
"dateUpdated": "2025-11-04T21:08:47.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43202 (GCVE-0-2024-43202)
Vulnerability from nvd – Published: 2024-08-20 07:29 – Updated: 2024-08-20 15:02
VLAI
Title
Apache DolphinScheduler: Remote Code Execution Vulnerability
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
|
|
| apache_software_foundation | apache_dolphinscheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:06:20.819939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:13:41.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-20T15:02:42.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "an4er"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.2. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T07:29:43.170Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43202",
"datePublished": "2024-08-20T07:29:43.170Z",
"dateReserved": "2024-08-07T15:30:55.296Z",
"dateUpdated": "2024-08-20T15:02:42.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30188 (GCVE-0-2024-30188)
Vulnerability from nvd – Published: 2024-08-09 14:23 – Updated: 2025-03-13 14:01
VLAI
Title
Apache DolphinScheduler: Resource File Read And Write Vulnerability
Summary
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.
This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
|
|
| apache | dolphinscheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:52.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T14:25:59.911467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:01:49.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "drun1baby"
},
{
"lang": "en",
"type": "reporter",
"value": "Zevi"
},
{
"lang": "en",
"type": "reporter",
"value": "Xun Bai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u0026nbsp; authenticated users can illegally access additional resource files.\u003cbr\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:23:27.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Resource File Read And Write Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30188",
"datePublished": "2024-08-09T14:23:27.823Z",
"dateReserved": "2024-03-25T09:58:24.854Z",
"dateUpdated": "2025-03-13T14:01:49.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29831 (GCVE-0-2024-29831)
Vulnerability from nvd – Published: 2024-08-09 14:21 – Updated: 2024-08-12 17:49
VLAI
Title
Apache DolphinScheduler: RCE by arbitrary js execution
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.1
(semver)
|
|
| apache_software_foundation | apache_dolphinscheduler |
Affected:
0 , ≤ 3.2.1
(semver)
cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:51.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:05:34.308702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:49:00.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yerest"
},
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "My Long"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:21:48.184Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: RCE by arbitrary js execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29831",
"datePublished": "2024-08-09T14:21:48.184Z",
"dateReserved": "2024-03-20T09:51:46.246Z",
"dateUpdated": "2024-08-12T17:49:00.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23320 (GCVE-0-2024-23320)
Vulnerability from nvd – Published: 2024-02-23 16:57 – Updated: 2025-02-13 17:39
VLAI
Title
Apache DolphinScheduler: Arbitrary js execution as root for authenticated users
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/apache/dolphinscheduler/pull/15487 | patch |
| https://lists.apache.org/thread/tnf99qoc6tlnwrny4… | issue-tracking |
| https://lists.apache.org/thread/25qhfvlksozzp6j9y… | vendor-advisory |
| https://lists.apache.org/thread/p7rwzdgrztdfps8x1… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/02/23/3 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.1
(semver)
|
|
| apache | dolphinscheduler |
Affected:
0 , < 3.2.1
(semver)
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:27:33.967939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:29:05.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-master",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xuesong.zhou"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
},
{
"lang": "en",
"type": "finder",
"value": "Huang Atao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.2.1.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T17:00:13.617Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execution as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23320",
"datePublished": "2024-02-23T16:57:09.741Z",
"dateReserved": "2024-01-15T10:49:33.393Z",
"dateUpdated": "2025-02-13T17:39:41.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51770 (GCVE-0-2023-51770)
Vulnerability from nvd – Published: 2024-02-20 10:02 – Updated: 2025-03-27 16:50
VLAI
Title
Apache DolphinScheduler: Arbitrary File Read Vulnerability
Summary
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.2.0 , < 3.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:29:47.005332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:50:01.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-datasource-mysql",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zhiwei"
},
{
"lang": "en",
"type": "finder",
"value": "rg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.1. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"value": "Arbitrary File Read Vulnerability in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T10:05:08.798Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15433"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary File Read Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51770",
"datePublished": "2024-02-20T10:02:12.991Z",
"dateReserved": "2023-12-25T03:43:07.636Z",
"dateUpdated": "2025-03-27T16:50:01.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50270 (GCVE-0-2023-50270)
Vulnerability from nvd – Published: 2024-02-20 10:01 – Updated: 2024-08-29 15:08
VLAI
Title
Apache DolphinScheduler: Session do not expire after password change
Summary
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
1.3.8 , ≤ 3.2.0
(semver)
|
|
| apache | dolphinscheduler |
Affected:
1.3.8 , ≤ 3.2.0
(semver)
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T17:07:02.901267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:08:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "1.3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lujiefsi"
},
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"value": "Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T10:17:35.425Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Session do not expire after password change",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50270",
"datePublished": "2024-02-20T10:01:32.260Z",
"dateReserved": "2023-12-06T02:25:09.094Z",
"dateUpdated": "2024-08-29T15:08:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-47340 (GCVE-0-2026-47340)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:00 – Updated: 2026-06-17 15:37
VLAI
Title
Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
Summary
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:13.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-47340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:37:14.740417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:37:28.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thesecguy45@gmail.com"
},
{
"lang": "en",
"type": "finder",
"value": "udolemi (S2W)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:00:12.475Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gx6v1wjb6qg3fzksxomysspy2gw54ooc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-47340",
"datePublished": "2026-06-17T09:00:12.475Z",
"dateReserved": "2026-05-19T11:34:37.241Z",
"dateUpdated": "2026-06-17T15:37:28.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32967 (GCVE-0-2026-32967)
Vulnerability from cvelistv5 – Published: 2026-06-17 08:57 – Updated: 2026-06-17 15:36
VLAI
Title
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Summary
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:39:53.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:36:08.328619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:36:12.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b0b0haha (603571786@qq.com)"
},
{
"lang": "en",
"type": "finder",
"value": "j311yl0v3u (2439839508@qq.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:57:55.852Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5o5jrg1snkmrto96wg015wgbh7hyckzc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-32967",
"datePublished": "2026-06-17T08:57:55.852Z",
"dateReserved": "2026-03-17T01:51:58.417Z",
"dateUpdated": "2026-06-17T15:36:12.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42357 (GCVE-0-2026-42357)
Vulnerability from cvelistv5 – Published: 2026-06-17 08:56 – Updated: 2026-06-17 15:35
VLAI
Title
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Summary
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:04.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:35:00.281861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:35:11.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yicheng Yu(https://github.com/FHMTT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.2.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2.\n\n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:56:55.154Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/74l2rrz32w2chn7vz64313gk7ox5wjtr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42357",
"datePublished": "2026-06-17T08:56:55.154Z",
"dateReserved": "2026-04-26T14:44:49.319Z",
"dateUpdated": "2026-06-17T15:35:11.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41280 (GCVE-0-2026-41280)
Vulnerability from cvelistv5 – Published: 2026-06-17 08:55 – Updated: 2026-06-17 11:06
VLAI
Title
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Summary
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:40:02.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-41280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T11:05:58.721556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:06:01.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yicheng Yu(https://github.com/FHMTT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.2. \u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2. \n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:55:29.988Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41280",
"datePublished": "2026-06-17T08:55:29.988Z",
"dateReserved": "2026-04-19T05:17:56.571Z",
"dateUpdated": "2026-06-17T11:06:01.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32966 (GCVE-0-2026-32966)
Vulnerability from cvelistv5 – Published: 2026-06-17 08:43 – Updated: 2026-06-17 15:34
VLAI
Title
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Summary
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-17T09:39:51.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:34:00.767997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:34:06.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b0b0haha (603571786@qq.com)"
},
{
"lang": "en",
"type": "finder",
"value": "j311yl0v3u (2439839508@qq.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.4.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.4.2.\n\nUsers are recommended to upgrade to version 3.4.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T08:43:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4f1fojpj26z9y5nd1ko845gcknpn75g2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-32966",
"datePublished": "2026-06-17T08:43:11.566Z",
"dateReserved": "2026-03-17T01:50:30.908Z",
"dateUpdated": "2026-06-17T15:34:06.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23902 (GCVE-0-2026-23902)
Vulnerability from cvelistv5 – Published: 2026-04-24 10:56 – Updated: 2026-04-24 18:33
VLAI
Title
Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
Summary
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler versions prior to 3.4.1.
Users are recommended to upgrade to version 3.4.1, which fixes this issue.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-24T11:28:42.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:25:12.669237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:33:34.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-api",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jihang Yu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.4.1, which fixes this issue.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u00a0\n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T10:56:18.289Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-23902",
"datePublished": "2026-04-24T10:56:18.289Z",
"dateReserved": "2026-01-18T04:07:20.514Z",
"dateUpdated": "2026-04-24T18:33:34.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62233 (GCVE-0-2025-62233)
Vulnerability from cvelistv5 – Published: 2026-04-24 10:54 – Updated: 2026-04-24 16:09
VLAI
Title
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Summary
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.
This issue affects Apache DolphinScheduler:
Version >= 3.2.0 and < 3.3.1.
Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.
Users are recommended to upgrade to version [3.3.1], which fixes the issue.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.2.0 , < 3.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-24T11:28:22.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:09:54.360016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:09:59.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-extract-base",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "75Acol, fcgboy, ch0wn, zer0duck"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler:\u0026nbsp;\u003c/p\u003e\u003cp\u003eVersion \u0026gt;= 3.2.0 and \u0026lt; 3.3.1.\u003c/p\u003eAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version [3.3.1], which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion \u003e= 3.2.0 and \u003c 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T10:54:55.162Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Deserialization of untrusted data in RPC",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-62233",
"datePublished": "2026-04-24T10:54:55.162Z",
"dateReserved": "2025-10-09T12:40:17.778Z",
"dateUpdated": "2026-04-24T16:09:59.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62188 (GCVE-0-2025-62188)
Vulnerability from cvelistv5 – Published: 2026-04-09 09:27 – Updated: 2026-04-09 13:57
VLAI
Title
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Summary
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.
This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.
This issue affects Apache DolphinScheduler versions 3.1.*.
Users are recommended to upgrade to:
* version ≥ 3.2.0 if using 3.1.x
As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:
```
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus
```
Alternatively, add the following configuration to the application.yaml file:
```
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
```
This issue has been reported as CVE-2023-48796:
https://cveprocess.apache.org/cve5/CVE-2023-48796
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/ffrmkcwgr2lcz0f5n… | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2023-48796 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T13:57:14.827090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T13:57:33.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.0",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "w aiyou"
},
{
"lang": "en",
"type": "reporter",
"value": "\u9b4f\u5927\u521b"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn \u003cstrong\u003eExposure of Sensitive Information to an Unauthorized Actor\u003c/strong\u003e vulnerability exists in Apache DolphinScheduler.\u003cbr\u003e\nThis vulnerability may allow unauthorized actors to access sensitive information, including database credentials.\u003c/p\u003e\n\u003cp\u003eThis issue affects \u003cstrong\u003eApache DolphinScheduler versions 3.1.*\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eUsers are recommended to upgrade to:\u003cbr\u003e\u003c/p\u003e\n\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eversion \u2265 3.2.0\u003c/strong\u003e if using \u003cstrong\u003e3.1.x\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eAs a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:\u003c/p\u003e\n```\u003cbr\u003eMANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus\u003cbr\u003e```\u003cbr\u003e\n\u003cp\u003eAlternatively, add the following configuration to the \u003ccode\u003eapplication.yaml\u003c/code\u003e file:\u003c/p\u003e\n```\u003cbr\u003emanagement:\u003cbr\u003e\u0026nbsp; \u0026nbsp;endpoints:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp;web:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; exposure:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; include: health,metrics,prometheus\u003cbr\u003e```\u003cbr\u003e\n\u003cp\u003eThis issue has been reported as \u003cstrong\u003eCVE-2023-48796\u003c/strong\u003e:\u003cbr\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://cveprocess.apache.org/cve5/CVE-2023-48796\"\u003ehttps://cveprocess.apache.org/cve5/CVE-2023-48796\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.\n\nThis vulnerability may allow unauthorized actors to access sensitive information, including database credentials.\n\n\nThis issue affects Apache DolphinScheduler versions 3.1.*.\n\n\nUsers are recommended to upgrade to:\n\n\n\n\n\n\n\n * version \u2265 3.2.0 if using 3.1.x\n\n\n\n\n\n\nAs a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:\n\n\n```\nMANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus\n```\n\nAlternatively, add the following configuration to the application.yaml file:\n\n\n```\nmanagement:\n\u00a0 \u00a0endpoints:\n\u00a0 \u00a0 \u00a0web:\n\u00a0 \u00a0 \u00a0 \u00a0 exposure:\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 include: health,metrics,prometheus\n```\n\nThis issue has been reported as CVE-2023-48796:\n\n https://cveprocess.apache.org/cve5/CVE-2023-48796"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T09:27:13.570Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48796"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-62188",
"datePublished": "2026-04-09T09:27:13.570Z",
"dateReserved": "2025-10-08T15:40:33.512Z",
"dateUpdated": "2026-04-09T13:57:33.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43166 (GCVE-0-2024-43166)
Vulnerability from cvelistv5 – Published: 2025-09-03 09:10 – Updated: 2025-11-04 21:08
VLAI
Summary
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(maven)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:44:48.062064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:19.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:48.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Default Permissions vulnerability in Apache DolphinScheduler.\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Default Permissions vulnerability in Apache DolphinScheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T09:10:24.401Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43166",
"datePublished": "2025-09-03T09:10:24.401Z",
"dateReserved": "2024-08-07T10:39:22.903Z",
"dateUpdated": "2025-11-04T21:08:48.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43115 (GCVE-0-2024-43115)
Vulnerability from cvelistv5 – Published: 2025-09-03 08:38 – Updated: 2025-11-04 21:08
VLAI
Title
Apache DolphinScheduler: Alert Script Attack
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T13:45:02.888615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T15:43:24.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:47.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can execute any shell script server by alert script.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e3.3.1\u003c/span\u003e, which fixes the issue.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.\n\n\nThis issue affects Apache DolphinScheduler: before 3.2.2.\n\nUsers are recommended to upgrade to version 3.3.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T08:38:32.442Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Alert Script Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43115",
"datePublished": "2025-09-03T08:38:32.442Z",
"dateReserved": "2024-08-07T06:13:30.951Z",
"dateUpdated": "2025-11-04T21:08:47.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43202 (GCVE-0-2024-43202)
Vulnerability from cvelistv5 – Published: 2024-08-20 07:29 – Updated: 2024-08-20 15:02
VLAI
Title
Apache DolphinScheduler: Remote Code Execution Vulnerability
Summary
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
|
|
| apache_software_foundation | apache_dolphinscheduler |
Affected:
3.0.0 , < 3.2.2
(semver)
cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-43202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:06:20.819939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:13:41.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-20T15:02:42.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "an4er"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache DolphinScheduler: before 3.2.2. \u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.2. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T07:29:43.170Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15758"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-43202",
"datePublished": "2024-08-20T07:29:43.170Z",
"dateReserved": "2024-08-07T15:30:55.296Z",
"dateUpdated": "2024-08-20T15:02:42.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30188 (GCVE-0-2024-30188)
Vulnerability from cvelistv5 – Published: 2024-08-09 14:23 – Updated: 2025-03-13 14:01
VLAI
Title
Apache DolphinScheduler: Resource File Read And Write Vulnerability
Summary
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.
This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
|
|
| apache | dolphinscheduler |
Affected:
3.1.0 , < 3.2.2
(semver)
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:52.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-10T14:25:59.911467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:01:49.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "drun1baby"
},
{
"lang": "en",
"type": "reporter",
"value": "Zevi"
},
{
"lang": "en",
"type": "reporter",
"value": "Xun Bai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u0026nbsp; authenticated users can illegally access additional resource files.\u003cbr\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "File read and write vulnerability in Apache DolphinScheduler ,\u00a0 authenticated users can illegally access additional resource files.\nThis issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:23:27.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Resource File Read And Write Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30188",
"datePublished": "2024-08-09T14:23:27.823Z",
"dateReserved": "2024-03-25T09:58:24.854Z",
"dateUpdated": "2025-03-13T14:01:49.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29831 (GCVE-0-2024-29831)
Vulnerability from cvelistv5 – Published: 2024-08-09 14:21 – Updated: 2024-08-12 17:49
VLAI
Title
Apache DolphinScheduler: RCE by arbitrary js execution
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , ≤ 3.2.1
(semver)
|
|
| apache_software_foundation | apache_dolphinscheduler |
Affected:
0 , ≤ 3.2.1
(semver)
cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:51.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_dolphinscheduler",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:05:34.308702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:49:00.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yerest"
},
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
},
{
"lang": "en",
"type": "reporter",
"value": "My Long"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:21:48.184Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: RCE by arbitrary js execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29831",
"datePublished": "2024-08-09T14:21:48.184Z",
"dateReserved": "2024-03-20T09:51:46.246Z",
"dateUpdated": "2024-08-12T17:49:00.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23320 (GCVE-0-2024-23320)
Vulnerability from cvelistv5 – Published: 2024-02-23 16:57 – Updated: 2025-02-13 17:39
VLAI
Title
Apache DolphinScheduler: Arbitrary js execution as root for authenticated users
Summary
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/apache/dolphinscheduler/pull/15487 | patch |
| https://lists.apache.org/thread/tnf99qoc6tlnwrny4… | issue-tracking |
| https://lists.apache.org/thread/25qhfvlksozzp6j9y… | vendor-advisory |
| https://lists.apache.org/thread/p7rwzdgrztdfps8x1… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/02/23/3 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
0 , < 3.2.1
(semver)
|
|
| apache | dolphinscheduler |
Affected:
0 , < 3.2.1
(semver)
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dolphinscheduler",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:27:33.967939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:29:05.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.dolphinscheduler:dolphinscheduler-master",
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xuesong.zhou"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
},
{
"lang": "en",
"type": "finder",
"value": "Huang Atao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache DolphinScheduler: until 3.2.1.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.2.1, which fixes the issue.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.\n\nThis issue is a legacy of CVE-2023-49299. We didn\u0027t fix it completely in CVE-2023-49299, and we added one more patch to fix it.\n\nThis issue affects Apache DolphinScheduler: until 3.2.1.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T17:00:13.617Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/dolphinscheduler/pull/15487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/23/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler: Arbitrary js execution as root for authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23320",
"datePublished": "2024-02-23T16:57:09.741Z",
"dateReserved": "2024-01-15T10:49:33.393Z",
"dateUpdated": "2025-02-13T17:39:41.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}