GoogleOSV:GHSA-V7HG-77V9-2445Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
49.7%
Improper Input Validation vulnerability in Apache DolphinScheduler. AnΒ authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.
Users are recommended to upgrade to version 3.1.9, which fixes the issue.
References
www.openwall.com/lists/oss-security/2024/02/23/3
github.com/apache/dolphinscheduler
github.com/apache/dolphinscheduler/commit/b5eddc0ce85d379080a51bf2162477f7d8c1b7d2
github.com/apache/dolphinscheduler/pull/15228
lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
nvd.nist.gov/vuln/detail/CVE-2023-49299
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
49.7%