CVE-2022-45875

Description

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Apache Software Foundation / Apache DolphinScheduler3.0 – 3.0.1
Apache Software Foundation / Apache DolphinScheduler3.1 – 3.1.0

References

MAILING_LISThttps://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r
MAILING_LISThttp://www.openwall.com/lists/oss-security/2023/11/22/2