32 matches found
CVE-2023-51770
CVE-2023-51770 affects Apache DolphinScheduler and is described as an Arbitrary File Read Vulnerability exploitable before version 3.2.1. The vulnerability affects DolphinScheduler components (disclosed across multiple feeds) and is mitigated by upgrading to version 3.2.1. Exploitation details or...
CVE-2023-49250
CVE-2023-49250 affects Apache DolphinScheduler prior to 3.2.0, where the HttpUtils class fails to verify TLS certificates. This allows an attacker in a MITM position on outgoing HTTPS connections to impersonate the server, potentially impacting confidentiality, integrity, and availability of the ...
CVE-2023-50270
Summary: CVE-2023-50270 affects Apache DolphinScheduler and relates to session fixation. The authenticated user session remains valid after a password change, enabling potential misuse. Public references from multiple sources (Red Hat, OSV, CVE notes, Veracode analysis, GitHub advisories) converg...
CVE-2023-49109
CVE-2023-49109 affects Apache DolphinScheduler prior to 3.2.1, described as exposure of remote code execution. Public documents align on a DolphinScheduler RCE risk and advise upgrading to version 3.2.1 to mitigate. Connected sources also reference related advisories (GHSA OSV/NVD) with similar r...
CVE-2024-23320
CVE-2024-23320 is an improper input validation vulnerability in Apache DolphinScheduler (up to version 3.2.1). An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server. The issue is described as a legacy of CVE-2023-49299, with an additional patch applied to ...
CVE-2022-25598
CVE-2022-25598 affects Apache DolphinScheduler. The vulnerability is a Regular Expression Denial of Service (ReDoS) in the user registration interface, exploited by crafted input to cause denial of service. Impact is partial availability degradation of the application. The public guidance in the ...
CVE-2020-11974
Technical details for CVE-2020-11974 are not publicly available in the provided documents. No affected products/versions/fixes are specified beyond the initial description. Monitor for updates.
CVE-2022-26884
CVE-2022-26884 affects Apache DolphinScheduler prior to version 2.0.6, introducing a path traversal vulnerability where a log server request could allow reading arbitrary files. The root cause is inadequate filtering of resources/files in path handling. Impact is limited to confidentiality (high)...
CVE-2024-30188
CVE-2024-30188 – Apache DolphinScheduler : Affected versions are 3.1.0 up to, but not including, 3.2.2. The issue is a resource file read/write vulnerability that allows authenticated users to access (and potentially modify) additional resource files. The core impact is unauthorized access to res...
CVE-2022-26885
Apache Dolphin Scheduler is affected by CVE-2022-26885, where using tasks to read config files can disclose database passwords. The issue stems from improper handling of logs in LoggerRequestProcessor.java, per Veracode and related advisories. Affected product: Dolphin Scheduler server; vulnerabi...
CVE-2023-49299
CVE-2023-49299 (Apache DolphinScheduler) : An authenticated user can trigger server-side, unsandboxed JavaScript execution due to improper input validation. The issue affects DolphinScheduler prior to fixed versions and is treated as a legacy/continued vulnerability in later advisories. A fix is ...
CVE-2023-48796
CVE-2023-48796 affects Apache DolphinScheduler (3.0.0–3.0.1). Root cause: exposure of sensitive information to unauthorized actors via the management endpoints web exposure, enabling leakage such as database credentials. Impact per sources: unauthorized access to sensitive data; high CVSS appears...
CVE-2022-34662
CVE-2022-34662 affects Apache DolphinScheduler. The resource-center path traversal vulnerability occurs when users add resources with a relation path and is applicable to versions prior to 3.0.0. The vulnerability is described as present for logged-in users, with the recommended remediation to up...
CVE-2022-45875
Apache DolphinScheduler (CVE-2022-45875) is affected by improper validation of script alert plugin parameters, allowing remote command execution. The issue affects 3.0.1 and earlier, and 3.1.0 and earlier; authenticated users who can log in to DolphinScheduler could exploit it. CVSSv3.1 base scor...
CVE-2022-45462
Summary: Apache DolphinScheduler contains a command injection vulnerability in the Alarm/Alert Instance Management service when a specific command is configured. The issue affects versions prior to 2.0.6 and could allow an attacker to inject commands. The vulnerability is rated critical (CVSS v3....
CVE-2024-43202
CVE-2024-43202 is an exposure of Remote/Code Injection in Apache DolphinScheduler prior to 3.2.2. A related exploit repo (GitHub) references a code-injection vulnerability affecting DolphinScheduler, and multiple advisories describe the issue as a remote code execution risk. The core remediation ...
CVE-2020-13922
CVE-2020-13922 affects Apache DolphinScheduler prior to 1.3.2. An ordinary user under any tenant can override another user’s password via the API interface. Connected documents corroborate the same description across multiple sources (Red Hat, OSV, GHSA, CVE records). The exact remediation steps ...
CVE-2024-29831
CVE-2024-29831 relates to an improper input validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server, potentially enabling remote code execution. Affected: DolphinScheduler; remediation guidance consistentl...
CVE-2021-27644
CVE-2021-27644 affects Apache DolphinScheduler prior to 1.3.6. Authorized users can trigger SQL injection in the data source center when using a MySQL data source with internal login credentials, potentially exposing or altering data in the underlying database. The related records consistently de...
CVE-2023-49068
CVE-2023-49068 affects Apache DolphinScheduler (before 3.2.1). The issue is exposure of sensitive information to an unauthorized actor via logs, with risk of leaking session-related data. Root cause is that log statements in the DolphinScheduler codebase may retain sensitive fields (e.g., session...
CVE-2023-25601
CVE-2023-25601 describes an improper authentication flaw in Apache DolphinScheduler’s python gateway affecting versions 3.0.0–3.1.1. The issue could permit a socket-based attack without authentication. The vulnerability is fixed in version 3.1.2 and later. Remediation options from the documented ...
CVE-2023-49620
CVE-2023-49620 affects Apache DolphinScheduler prior to 3.1.0. An authenticated user could delete UDF functions in the resource center (an operation commonly used by SQL tasks) due to an unauthorized access (IDOR) vulnerability. Red Hat, Veracode, GHSA and CVE records corroborate the issue, with ...
CVE-2024-43166
Summary (CVE-2024-43166) : Apache DolphinScheduler before 3.2.2 has an incorrect default permissions vulnerability. Multiple sources (Red Hat, NVD, OSV, CNVD, GHSA) reference the same issue and advise upgrading to 3.3.1 to fix it. The CVSSv3.1 score is listed as 9.8 (CRITICAL) with network attack...
CVE-2025-62233
CVE-2025-62233 concerns Apache DolphinScheduler’s RPC module. A deserialization of untrusted data vulnerability affects versions >= 3.2.0 and
CVE-2024-43115
CVE-2024-43115 affects Apache DolphinScheduler (pre-3.2.2). The issue is due to improper input validation, permitting an authenticated user to trigger execution of arbitrary shell scripts via the alert script. Upgrading to 3.3.1 is recommended and fixes the vulnerability. There is no exploitation...
CVE-2026-23902
CVE-2026-23902 concerns an Incorrect Authorization flaw in Apache DolphinScheduler. The weakness allows authenticated users with system login permissions to operate using tenants not defined on the platform during workflow execution. Affected versions are DolphinScheduler prior to 3.4.1; remediat...
CVE-2026-32967
The CVE-2026-32967 issue is an Incorrect Authorization vulnerability in Apache DolphinScheduler's /v2 experimental interface. Affected software: DolphinScheduler before version 3.4.2. Root cause: missing/incorrect permission checks on the /v2 endpoint. Impact: authorization bypass risk for the in...
CVE-2025-62188
CVE-2025-62188 concerns an exposure of sensitive information via the management actuator endpoints in Apache DolphinScheduler. The affected line is 3.1.x, with guidance to upgrade to version 3.2.0 or later. A temporary workaround is to constrain exposed endpoints using the environment variable MA...
CVE-2026-32966
The CVE affects Apache DolphinScheduler prior to 3.4.2. A missing authorization check in the DataSource API allows exposure of arbitrary data source metadata to unauthenticated users, enabling potential disclosure of sensitive information. The issue’s root cause is insufficient access control on ...
CVE-2026-47340
CVE-2026-47340 describes an authorization flaw in Apache DolphinScheduler prior to 3.4.2 where authenticated users can access alert instances tied to alert groups they should not access. The issue affects DolphinScheduler up to version before 3.4.2; the recommended fix is upgrading to version 3.4...
CVE-2026-41280
CVE-2026-41280 affects Apache DolphinScheduler prior to 3.4.2. The issue is an Incorrect Authorization vulnerability where users with system login privileges can delete task definitions in unauthorized projects due to insufficient access controls. The documented impact is deletion of task definit...
CVE-2026-42357
CVE-2026-42357 describes an Incorrect Authorization vulnerability in Apache DolphinScheduler. The issue allows users to access workflow instance information for projects they should not access. Affected versions are DolphinScheduler