GitHub Advisory DatabaseGHSA-3JXW-CV35-2MMVApache DolphinScheduler's python gateway suffered from improper authentication
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
61.5%
On version 3.0.0 through 3.1.1, Apache DolphinSchedulerโs python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value python-gateway.enabled=false in configuration file application.yaml. If you are using the python gateway, please upgrade to version 3.1.2 or above.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.dolphinscheduler:dolphinscheduler-api | lt | 3.1.2 |
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
61.5%