GoogleOSV:GHSA-RC6H-QWJ9-2C53Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
49.7%
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server.
This issue is a legacy of CVE-2023-49299. We didn’t fix it completely in CVE-2023-49299, and we added one more patch to fix it.
This issue affects Apache DolphinScheduler: until 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue.
References
www.openwall.com/lists/oss-security/2024/02/23/3
github.com/apache/dolphinscheduler
github.com/apache/dolphinscheduler/commit/ef9ed3db55cb1647886b06c2b2c6a5cfcdccfb5c
github.com/apache/dolphinscheduler/pull/15487
lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq
lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp
lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
nvd.nist.gov/vuln/detail/CVE-2024-23320
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
49.7%