CRITICAL🇵🇱 Wersja polska

CVE-2024-43166

CVSS 9.8v3.1pub. 2025-09-03upd. 2025-11-04

Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

🤖 AI Analysis
How it works

The error consists of incorrect default permissions configuration in Apache DolphinScheduler software. According to the CVSS vector, the exploit does not require authentication or user interaction, and the attack can be conducted remotely over the network. Incorrect permissions may enable unauthorized access to resources or operations that should be protected.

Impact

An attacker can gain full access to the system — compromising confidentiality, integrity, and availability of data — without needing to possess any permissions or credentials.

Mitigation & patch

Apache DolphinScheduler should be updated immediately to version 3.3.1, which contains a patch eliminating the vulnerability. Details are available in the vendor references at: https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk

Who is affected

Apache DolphinScheduler in versions before 3.2.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Dolphinscheduler

    APP
    Apache
    < 3.2.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-43202CRITICAL9.8PL ✓ten sam produkt

RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2023-49109CRITICAL9.8PL ✓ten sam produkt

RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2022-45875CRITICAL9.8ten sam produkt

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execu...

CVE-2022-45462CRITICAL9.8ten sam produkt

Alarm instance management has command injection when there is a specific command configured. It is only for lo...

CVE-2020-11974CRITICAL9.8ten sam produkt

In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when c...