| 0 |
| url |
VCID-6nzs-31fa-vudc |
| vulnerability_id |
VCID-6nzs-31fa-vudc |
| summary |
Missing Authorization
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49620 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56416 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56432 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56444 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56438 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49620 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-49620, GHSA-r44q-98gx-pmh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6nzs-31fa-vudc |
|
| 1 |
| url |
VCID-9499-ush9-ayhh |
| vulnerability_id |
VCID-9499-ush9-ayhh |
| summary |
Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23320 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00737 |
| scoring_system |
epss |
| scoring_elements |
0.73253 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00737 |
| scoring_system |
epss |
| scoring_elements |
0.73222 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00737 |
| scoring_system |
epss |
| scoring_elements |
0.73235 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00737 |
| scoring_system |
epss |
| scoring_elements |
0.73247 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23320 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/dolphinscheduler/pull/15487 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-26T18:27:33Z/ |
|
|
| url |
https://github.com/apache/dolphinscheduler/pull/15487 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-23320, GHSA-rc6h-qwj9-2c53
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9499-ush9-ayhh |
|
| 2 |
| url |
VCID-a9cw-q6g7-t3d6 |
| vulnerability_id |
VCID-a9cw-q6g7-t3d6 |
| summary |
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.
Users are recommended to upgrade to version 3.1.9, which fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49299 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.69667 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.69678 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.69688 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.6968 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49299 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/dolphinscheduler/pull/15228 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-26T20:21:55Z/ |
|
|
| url |
https://github.com/apache/dolphinscheduler/pull/15228 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-49299, GHSA-v7hg-77v9-2445
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a9cw-q6g7-t3d6 |
|
| 3 |
| url |
VCID-aer3-3j27-gqaa |
| vulnerability_id |
VCID-aer3-3j27-gqaa |
| summary |
Insufficient Session Expiration
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-50270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01042 |
| scoring_system |
epss |
| scoring_elements |
0.77805 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.01042 |
| scoring_system |
epss |
| scoring_elements |
0.77818 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01042 |
| scoring_system |
epss |
| scoring_elements |
0.77825 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01042 |
| scoring_system |
epss |
| scoring_elements |
0.77815 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-50270 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-50270, GHSA-vjqc-g788-f378
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aer3-3j27-gqaa |
|
| 4 |
| url |
VCID-bqnz-n1hj-r3gx |
| vulnerability_id |
VCID-bqnz-n1hj-r3gx |
| summary |
Improper Certificate Validation in Apache DolphinScheduler
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49250 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38007 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.37973 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38036 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38039 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49250 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-49250, GHSA-37gx-jqx9-fwmg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bqnz-n1hj-r3gx |
|
| 5 |
| url |
VCID-kw72-g6v7-7fgk |
| vulnerability_id |
VCID-kw72-g6v7-7fgk |
| summary |
Apache DolphinScheduler vulnerable to Alert Script Attack
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43115 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27326 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27187 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27235 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27275 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43115 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-43115, GHSA-3vcp-r62v-xpvg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kw72-g6v7-7fgk |
|
| 6 |
| url |
VCID-p7d8-kg27-nbee |
| vulnerability_id |
VCID-p7d8-kg27-nbee |
| summary |
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-51770, GHSA-ff2w-wm48-jhqj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p7d8-kg27-nbee |
|
| 7 |
| url |
VCID-pnp9-9m41-jqdh |
| vulnerability_id |
VCID-pnp9-9m41-jqdh |
| summary |
Apache DolphinScheduler: RCE by arbitrary js execution
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-29831 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.56924 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.56939 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.56951 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.56943 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-29831 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-29831, GHSA-m9q4-p56m-mc6q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pnp9-9m41-jqdh |
|
| 8 |
| url |
VCID-rkba-ka1m-fbdq |
| vulnerability_id |
VCID-rkba-ka1m-fbdq |
| summary |
Apache DolphinScheduler has an Incorrect Authorization Vulnerability
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler versions prior to 3.4.1.
Users are recommended to upgrade to version 3.4.1, which fixes this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-23902 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06668 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.0662 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06662 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06674 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-23902 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-23902, GHSA-72mv-wwvm-vgp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rkba-ka1m-fbdq |
|
| 9 |
| url |
VCID-t6hf-upum-fket |
| vulnerability_id |
VCID-t6hf-upum-fket |
| summary |
Apache DolphinScheduler vulnerable to Path Traversal
When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34662 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.7788 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77867 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77894 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77901 |
| published_at |
2026-06-06T12:55:00Z |
|
| 4 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77891 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34662 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-34662, GHSA-fp35-xrrr-3gph
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t6hf-upum-fket |
|
| 10 |
| url |
VCID-vcek-m7ex-a7hm |
| vulnerability_id |
VCID-vcek-m7ex-a7hm |
| summary |
Apache DolphinScheduler Incorrect Default Permissions Vulnerability
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43166 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00162 |
| scoring_system |
epss |
| scoring_elements |
0.3687 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00162 |
| scoring_system |
epss |
| scoring_elements |
0.36876 |
| published_at |
2026-06-06T12:55:00Z |
|
| 2 |
| value |
0.00162 |
| scoring_system |
epss |
| scoring_elements |
0.36841 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00162 |
| scoring_system |
epss |
| scoring_elements |
0.36803 |
| published_at |
2026-06-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43166 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-43166, GHSA-rrpj-r8h7-rm7r
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vcek-m7ex-a7hm |
|
| 11 |
| url |
VCID-zx11-jxkm-bycp |
| vulnerability_id |
VCID-zx11-jxkm-bycp |
| summary |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49068 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0016 |
| scoring_system |
epss |
| scoring_elements |
0.36615 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.0016 |
| scoring_system |
epss |
| scoring_elements |
0.3668 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.0016 |
| scoring_system |
epss |
| scoring_elements |
0.36688 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.0016 |
| scoring_system |
epss |
| scoring_elements |
0.36652 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49068 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-49068, GHSA-c6cg-73p3-973h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zx11-jxkm-bycp |
|