| 0 |
| url |
VCID-6nzs-31fa-vudc |
| vulnerability_id |
VCID-6nzs-31fa-vudc |
| summary |
Missing Authorization
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-49620, GHSA-r44q-98gx-pmh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6nzs-31fa-vudc |
|
| 1 |
| url |
VCID-9499-ush9-ayhh |
| vulnerability_id |
VCID-9499-ush9-ayhh |
| summary |
Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/dolphinscheduler/pull/15487 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-26T18:27:33Z/ |
|
|
| url |
https://github.com/apache/dolphinscheduler/pull/15487 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-23320, GHSA-rc6h-qwj9-2c53
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9499-ush9-ayhh |
|
| 2 |
| url |
VCID-a9cw-q6g7-t3d6 |
| vulnerability_id |
VCID-a9cw-q6g7-t3d6 |
| summary |
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.
Users are recommended to upgrade to version 3.1.9, which fixes the issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/apache/dolphinscheduler/pull/15228 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-26T20:21:55Z/ |
|
|
| url |
https://github.com/apache/dolphinscheduler/pull/15228 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-49299, GHSA-v7hg-77v9-2445
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a9cw-q6g7-t3d6 |
|
| 3 |
| url |
VCID-aer3-3j27-gqaa |
| vulnerability_id |
VCID-aer3-3j27-gqaa |
| summary |
Insufficient Session Expiration
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-50270, GHSA-vjqc-g788-f378
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aer3-3j27-gqaa |
|
| 4 |
| url |
VCID-bqnz-n1hj-r3gx |
| vulnerability_id |
VCID-bqnz-n1hj-r3gx |
| summary |
Improper Certificate Validation in Apache DolphinScheduler
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.
This issue affects Apache DolphinScheduler: before 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-49250, GHSA-37gx-jqx9-fwmg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bqnz-n1hj-r3gx |
|
| 5 |
| url |
VCID-dk6a-gdh4-2fbj |
| vulnerability_id |
VCID-dk6a-gdh4-2fbj |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In Apache DolphinScheduler authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-27644 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78957 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78954 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78963 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.7893 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-27644 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-27644, GHSA-93g4-3phc-g4xw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dk6a-gdh4-2fbj |
|
| 6 |
| url |
VCID-dkpw-agff-ebcv |
| vulnerability_id |
VCID-dkpw-agff-ebcv |
| summary |
Apache DolphinScheduler vulnerable to Path Traversal
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-26884, GHSA-vpgf-fgm8-gxr2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dkpw-agff-ebcv |
|
| 7 |
| url |
VCID-kw72-g6v7-7fgk |
| vulnerability_id |
VCID-kw72-g6v7-7fgk |
| summary |
Apache DolphinScheduler vulnerable to Alert Script Attack
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-43115, GHSA-3vcp-r62v-xpvg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kw72-g6v7-7fgk |
|
| 8 |
| url |
VCID-p7d8-kg27-nbee |
| vulnerability_id |
VCID-p7d8-kg27-nbee |
| summary |
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-51770, GHSA-ff2w-wm48-jhqj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p7d8-kg27-nbee |
|
| 9 |
| url |
VCID-pb5n-s8tt-ykeb |
| vulnerability_id |
VCID-pb5n-s8tt-ykeb |
| summary |
Apache Dolphin Scheduler has insufficiently protected credentials
When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-26885 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00659 |
| scoring_system |
epss |
| scoring_elements |
0.71471 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00659 |
| scoring_system |
epss |
| scoring_elements |
0.71498 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00659 |
| scoring_system |
epss |
| scoring_elements |
0.71522 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00659 |
| scoring_system |
epss |
| scoring_elements |
0.71515 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-26885 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-26885, GHSA-jvc3-wjf6-7c6c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pb5n-s8tt-ykeb |
|
| 10 |
| url |
VCID-pnp9-9m41-jqdh |
| vulnerability_id |
VCID-pnp9-9m41-jqdh |
| summary |
Apache DolphinScheduler: RCE by arbitrary js execution
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-29831, GHSA-m9q4-p56m-mc6q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pnp9-9m41-jqdh |
|
| 11 |
| url |
VCID-rd8x-n14v-a3g5 |
| vulnerability_id |
VCID-rd8x-n14v-a3g5 |
| summary |
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-13922 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00831 |
| scoring_system |
epss |
| scoring_elements |
0.74919 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00831 |
| scoring_system |
epss |
| scoring_elements |
0.74944 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00831 |
| scoring_system |
epss |
| scoring_elements |
0.74952 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00831 |
| scoring_system |
epss |
| scoring_elements |
0.74948 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-13922 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-13922, GHSA-qhh5-9738-g9mx, PYSEC-2021-876
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rd8x-n14v-a3g5 |
|
| 12 |
| url |
VCID-rkba-ka1m-fbdq |
| vulnerability_id |
VCID-rkba-ka1m-fbdq |
| summary |
Apache DolphinScheduler has an Incorrect Authorization Vulnerability
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler versions prior to 3.4.1.
Users are recommended to upgrade to version 3.4.1, which fixes this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-23902, GHSA-72mv-wwvm-vgp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rkba-ka1m-fbdq |
|
| 13 |
| url |
VCID-t6hf-upum-fket |
| vulnerability_id |
VCID-t6hf-upum-fket |
| summary |
Apache DolphinScheduler vulnerable to Path Traversal
When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34662 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77867 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77891 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77901 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01049 |
| scoring_system |
epss |
| scoring_elements |
0.77894 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34662 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-34662, GHSA-fp35-xrrr-3gph
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t6hf-upum-fket |
|
| 14 |
| url |
VCID-tc37-6huh-v7gs |
| vulnerability_id |
VCID-tc37-6huh-v7gs |
| summary |
Code Execution
In DolphinScheduler, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-11974, GHSA-jpj4-5xwp-cv23
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tc37-6huh-v7gs |
|
| 15 |
| url |
VCID-vcek-m7ex-a7hm |
| vulnerability_id |
VCID-vcek-m7ex-a7hm |
| summary |
Apache DolphinScheduler Incorrect Default Permissions Vulnerability
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-43166, GHSA-rrpj-r8h7-rm7r
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vcek-m7ex-a7hm |
|
| 16 |
| url |
VCID-yc2s-jxa6-8ua9 |
| vulnerability_id |
VCID-yc2s-jxa6-8ua9 |
| summary |
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-25598 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01127 |
| scoring_system |
epss |
| scoring_elements |
0.78636 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01127 |
| scoring_system |
epss |
| scoring_elements |
0.78662 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.01127 |
| scoring_system |
epss |
| scoring_elements |
0.78671 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01127 |
| scoring_system |
epss |
| scoring_elements |
0.78663 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-25598 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-25598, GHSA-qg5x-66hp-cw5p, PYSEC-2022-176
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yc2s-jxa6-8ua9 |
|
| 17 |
| url |
VCID-z8sf-946n-kkgv |
| vulnerability_id |
VCID-z8sf-946n-kkgv |
| summary |
Command injection in Apache DolphinScheduler Alert Plugins
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-45462 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.21258 |
| scoring_system |
epss |
| scoring_elements |
0.95787 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.21258 |
| scoring_system |
epss |
| scoring_elements |
0.95796 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.21258 |
| scoring_system |
epss |
| scoring_elements |
0.95795 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.21258 |
| scoring_system |
epss |
| scoring_elements |
0.95792 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-45462 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-45462, GHSA-wqg7-mx6p-2rw3
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z8sf-946n-kkgv |
|
| 18 |
| url |
VCID-zx11-jxkm-bycp |
| vulnerability_id |
VCID-zx11-jxkm-bycp |
| summary |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-49068, GHSA-c6cg-73p3-973h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zx11-jxkm-bycp |
|