Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
The vulnerability classified as CWE-94 (Improper Control of Generation of Code) allows injection and execution of malicious code on the server side. An attacker can trigger the vulnerable mechanism remotely, without needing to possess any privileges or user interaction (vector AV:N/AC:L/PR:N/UI:N). The detailed triggering mechanism is described in the patch available in the project repository (pull request #14991).
Successful exploitation of the vulnerability gives the attacker full control over the system — the ability to read and modify data as well as disrupt service availability (C:H/I:H/A:H). In production environments, this can mean compromise of the entire process orchestration and data pipeline infrastructure.
Apache DolphinScheduler should be updated immediately to version 3.2.1, which contains a patch eliminating the vulnerability. The recommendation comes directly from the vendor.
Apache DolphinScheduler in all versions before 3.2.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Dolphinscheduler
APPApache3.0.0 – 3.2.1 (bez)
Related vulnerabilities
Nieprawidłowe domyślne uprawnienia w Apache DolphinScheduler
RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execu...
Alarm instance management has command injection when there is a specific command configured. It is only for lo...
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when c...