Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.0
Typemaven
Namespaceorg.apache.dolphinscheduler
Namedolphinscheduler
Version3.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.3.6
Latest_non_vulnerable_version3.2.1
Affected_by_vulnerabilities
0
url VCID-83q4-bxad-fkbk
vulnerability_id VCID-83q4-bxad-fkbk
summary On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.
references
0
reference_url https://github.com/apache/dolphinscheduler
reference_id
reference_type
scores
url https://github.com/apache/dolphinscheduler
1
reference_url https://github.com/apache/dolphinscheduler/pull/12893
reference_id
reference_type
scores
url https://github.com/apache/dolphinscheduler/pull/12893
2
reference_url https://github.com/apache/dolphinscheduler/releases/tag/3.1.2
reference_id
reference_type
scores
url https://github.com/apache/dolphinscheduler/releases/tag/3.1.2
3
reference_url https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf
reference_id
reference_type
scores
url https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf
4
reference_url http://www.openwall.com/lists/oss-security/2023/04/20/10
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2023/04/20/10
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25601
reference_id CVE-2023-25601
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25601
6
reference_url https://github.com/advisories/GHSA-3jxw-cv35-2mmv
reference_id GHSA-3jxw-cv35-2mmv
reference_type
scores
url https://github.com/advisories/GHSA-3jxw-cv35-2mmv
fixed_packages
0
url pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.1.2
purl pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.1.2
aliases CVE-2023-25601, GHSA-3jxw-cv35-2mmv
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-83q4-bxad-fkbk
1
url VCID-njex-4pqg-mff6
vulnerability_id VCID-njex-4pqg-mff6
summary 
Improper Control of Generation of Code ('Code Injection')
Exposure of Remote Code Execution in Apache Dolphinscheduler.

This issue affects Apache DolphinScheduler: before 3.2.1. 

We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
references
0
reference_url https://github.com/apache/dolphinscheduler/pull/14991
reference_id
reference_type
scores
url https://github.com/apache/dolphinscheduler/pull/14991
1
reference_url https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8
reference_id
reference_type
scores
url https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8
2
reference_url https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5
reference_id
reference_type
scores
url https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5
3
reference_url http://www.openwall.com/lists/oss-security/2024/02/20/4
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/02/20/4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49109
reference_id CVE-2023-49109
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-49109
5
reference_url https://github.com/advisories/GHSA-qwxx-xww6-8q8m
reference_id GHSA-qwxx-xww6-8q8m
reference_type
scores
url https://github.com/advisories/GHSA-qwxx-xww6-8q8m
fixed_packages
0
url pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.2.1
purl pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.2.1
aliases CVE-2023-49109, GHSA-qwxx-xww6-8q8m
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-njex-4pqg-mff6
2
url VCID-vqwr-25tx-aqez
vulnerability_id VCID-vqwr-25tx-aqez
summary 
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

The information exposed to unauthorized actors may include sensitive data such as database credentials.

Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file

```
management:
  endpoints:
    web:
      exposure:
        include: health,metrics,prometheus
```

This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.
references
0
reference_url https://github.com/apache/dolphinscheduler
reference_id
reference_type
scores
url https://github.com/apache/dolphinscheduler
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yaml
2
reference_url https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo
3
reference_url http://www.openwall.com/lists/oss-security/2023/11/24/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2023/11/24/1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48796
reference_id CVE-2023-48796
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-48796
5
reference_url https://github.com/advisories/GHSA-4vvc-r4p4-qgrr
reference_id GHSA-4vvc-r4p4-qgrr
reference_type
scores
url https://github.com/advisories/GHSA-4vvc-r4p4-qgrr
fixed_packages
0
url pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.2
purl pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.2
aliases CVE-2023-48796, GHSA-4vvc-r4p4-qgrr, PYSEC-2023-268
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqwr-25tx-aqez
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.0