CRITICAL🇵🇱 Wersja polska

CVE-2023-49109

CVSS 9.8v3.1pub. 2024-02-20upd. 2025-03-18

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-94 (Improper Control of Generation of Code) allows injection and execution of malicious code on the server side. An attacker can trigger the vulnerable mechanism remotely, without needing to possess any privileges or user interaction (vector AV:N/AC:L/PR:N/UI:N). The detailed triggering mechanism is described in the patch available in the project repository (pull request #14991).

Impact

Successful exploitation of the vulnerability gives the attacker full control over the system — the ability to read and modify data as well as disrupt service availability (C:H/I:H/A:H). In production environments, this can mean compromise of the entire process orchestration and data pipeline infrastructure.

Mitigation & patch

Apache DolphinScheduler should be updated immediately to version 3.2.1, which contains a patch eliminating the vulnerability. The recommendation comes directly from the vendor.

Who is affected

Apache DolphinScheduler in all versions before 3.2.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Dolphinscheduler

    APP
    Apache
    3.0.0 – 3.2.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-43166CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowe domyślne uprawnienia w Apache DolphinScheduler

CVE-2024-43202CRITICAL9.8PL ✓ten sam produkt

RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2022-45875CRITICAL9.8ten sam produkt

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execu...

CVE-2022-45462CRITICAL9.8ten sam produkt

Alarm instance management has command injection when there is a specific command configured. It is only for lo...

CVE-2020-11974CRITICAL9.8ten sam produkt

In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when c...