Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Dolphinscheduler Security Vulnerabilities

cve
cve

CVE-2024-23320

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This...

7.1AI Score

0.0004EPSS

2024-02-23 05:15 PM
1636
cve
cve

CVE-2023-50270

Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this...

7.5AI Score

0.0004EPSS

2024-02-20 10:15 AM
2047
cve
cve

CVE-2023-51770

Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the...

7.3AI Score

0.0004EPSS

2024-02-20 10:15 AM
2033
cve
cve

CVE-2023-49250

Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which...

7.3AI Score

0.0004EPSS

2024-02-20 10:15 AM
2038
cve
cve

CVE-2023-49109

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the...

8.1AI Score

0.0004EPSS

2024-02-20 10:15 AM
2046
cve
cve

CVE-2023-49299

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the...

8.8CVSS

7.3AI Score

0.001EPSS

2023-12-30 05:15 PM
31
cve
cve

CVE-2023-49620

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still...

6.5CVSS

7AI Score

0.001EPSS

2023-11-30 09:15 AM
9
cve
cve

CVE-2023-49068

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not...

7.5CVSS

7AI Score

0.001EPSS

2023-11-27 10:15 AM
15
cve
cve

CVE-2023-48796

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable...

7.5CVSS

6.7AI Score

0.001EPSS

2023-11-24 08:15 AM
25
cve
cve

CVE-2023-25601

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the...

4.3CVSS

4.5AI Score

0.002EPSS

2023-04-20 04:15 PM
16
cve
cve

CVE-2022-45875

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users.....

9.8CVSS

9.4AI Score

0.001EPSS

2023-01-04 03:15 PM
33
cve
cve

CVE-2022-26885

When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or...

7.5CVSS

7.4AI Score

0.001EPSS

2022-11-24 04:15 PM
47
27
cve
cve

CVE-2022-45462

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or...

9.8CVSS

9.7AI Score

0.009EPSS

2022-11-23 09:15 AM
36
11
cve
cve

CVE-2022-34662

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or...

6.5CVSS

6.4AI Score

0.0005EPSS

2022-11-01 04:15 PM
37
2
cve
cve

CVE-2022-26884

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or...

6.5CVSS

6.4AI Score

0.0005EPSS

2022-10-28 08:15 AM
46
5
cve
cve

CVE-2022-25598

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or...

7.5CVSS

7.5AI Score

0.001EPSS

2022-03-30 10:15 AM
86
cve
cve

CVE-2021-27644

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account...

8.8CVSS

8.9AI Score

0.007EPSS

2021-11-01 10:15 AM
38
cve
cve

CVE-2020-13922

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API...

6.5CVSS

6.5AI Score

0.001EPSS

2021-01-11 10:15 AM
35
cve
cve

CVE-2020-11974

In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as...

9.8CVSS

9.7AI Score

0.031EPSS

2020-12-18 09:15 PM
66
5