Search for packages
| purl | pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@1.3.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6nzs-31fa-vudc
Aliases: CVE-2023-49620 GHSA-r44q-98gx-pmh2 |
Missing Authorization Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability |
Affected by 15 other vulnerabilities. |
|
VCID-9499-ush9-ayhh
Aliases: CVE-2024-23320 GHSA-rc6h-qwj9-2c53 |
Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
Affected by 6 other vulnerabilities. |
|
VCID-a9cw-q6g7-t3d6
Aliases: CVE-2023-49299 GHSA-v7hg-77v9-2445 |
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue. |
Affected by 12 other vulnerabilities. |
|
VCID-aer3-3j27-gqaa
Aliases: CVE-2023-50270 GHSA-vjqc-g788-f378 |
Insufficient Session Expiration Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-bqnz-n1hj-r3gx
Aliases: CVE-2023-49250 GHSA-37gx-jqx9-fwmg |
Improper Certificate Validation in Apache DolphinScheduler Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
Affected by 6 other vulnerabilities. |
|
VCID-dkpw-agff-ebcv
Aliases: CVE-2022-26884 GHSA-vpgf-fgm8-gxr2 |
Apache DolphinScheduler vulnerable to Path Traversal Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. |
Affected by 12 other vulnerabilities. |
|
VCID-kw72-g6v7-7fgk
Aliases: CVE-2024-43115 GHSA-3vcp-r62v-xpvg |
Apache DolphinScheduler vulnerable to Alert Script Attack Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-p7d8-kg27-nbee
Aliases: CVE-2023-51770 GHSA-ff2w-wm48-jhqj |
Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. |
Affected by 6 other vulnerabilities. |
|
VCID-pb5n-s8tt-ykeb
Aliases: CVE-2022-26885 GHSA-jvc3-wjf6-7c6c |
Apache Dolphin Scheduler has insufficiently protected credentials When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. |
Affected by 12 other vulnerabilities. |
|
VCID-pnp9-9m41-jqdh
Aliases: CVE-2024-29831 GHSA-m9q4-p56m-mc6q |
Apache DolphinScheduler: RCE by arbitrary js execution Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-rkba-ka1m-fbdq
Aliases: CVE-2026-23902 GHSA-72mv-wwvm-vgp5 |
Apache DolphinScheduler has an Incorrect Authorization Vulnerability Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users are recommended to upgrade to version 3.4.1, which fixes this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-t6hf-upum-fket
Aliases: CVE-2022-34662 GHSA-fp35-xrrr-3gph |
Apache DolphinScheduler vulnerable to Path Traversal When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue. |
Affected by 14 other vulnerabilities. |
|
VCID-vcek-m7ex-a7hm
Aliases: CVE-2024-43166 GHSA-rrpj-r8h7-rm7r |
Apache DolphinScheduler Incorrect Default Permissions Vulnerability Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
Affected by 1 other vulnerability. |
|
VCID-yc2s-jxa6-8ua9
Aliases: CVE-2022-25598 GHSA-qg5x-66hp-cw5p PYSEC-2022-176 |
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. |
Affected by 15 other vulnerabilities. |
|
VCID-z8sf-946n-kkgv
Aliases: CVE-2022-45462 GHSA-wqg7-mx6p-2rw3 |
Command injection in Apache DolphinScheduler Alert Plugins Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher. |
Affected by 12 other vulnerabilities. |
|
VCID-zx11-jxkm-bycp
Aliases: CVE-2023-49068 GHSA-c6cg-73p3-973h |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||