21 matches found
CVE-2023-49250
CVE-2023-49250 affects Apache DolphinScheduler prior to 3.2.0, where the HttpUtils class fails to verify TLS certificates. This allows an attacker in a MITM position on outgoing HTTPS connections to impersonate the server, potentially impacting confidentiality, integrity, and availability of the ...
CVE-2024-23320
CVE-2024-23320 is an improper input validation vulnerability in Apache DolphinScheduler (up to version 3.2.1). An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server. The issue is described as a legacy of CVE-2023-49299, with an additional patch applied to ...
CVE-2022-25598
CVE-2022-25598 affects Apache DolphinScheduler. The vulnerability is a Regular Expression Denial of Service (ReDoS) in the user registration interface, exploited by crafted input to cause denial of service. Impact is partial availability degradation of the application. The public guidance in the ...
CVE-2022-26884
CVE-2022-26884 affects Apache DolphinScheduler prior to version 2.0.6, introducing a path traversal vulnerability where a log server request could allow reading arbitrary files. The root cause is inadequate filtering of resources/files in path handling. Impact is limited to confidentiality (high)...
CVE-2023-49299
CVE-2023-49299 (Apache DolphinScheduler) : An authenticated user can trigger server-side, unsandboxed JavaScript execution due to improper input validation. The issue affects DolphinScheduler prior to fixed versions and is treated as a legacy/continued vulnerability in later advisories. A fix is ...
CVE-2022-26885
Apache Dolphin Scheduler is affected by CVE-2022-26885, where using tasks to read config files can disclose database passwords. The issue stems from improper handling of logs in LoggerRequestProcessor.java, per Veracode and related advisories. Affected product: Dolphin Scheduler server; vulnerabi...
CVE-2022-34662
CVE-2022-34662 affects Apache DolphinScheduler. The resource-center path traversal vulnerability occurs when users add resources with a relation path and is applicable to versions prior to 3.0.0. The vulnerability is described as present for logged-in users, with the recommended remediation to up...
CVE-2022-45875
Apache DolphinScheduler (CVE-2022-45875) is affected by improper validation of script alert plugin parameters, allowing remote command execution. The issue affects 3.0.1 and earlier, and 3.1.0 and earlier; authenticated users who can log in to DolphinScheduler could exploit it. CVSSv3.1 base scor...
CVE-2022-45462
Summary: Apache DolphinScheduler contains a command injection vulnerability in the Alarm/Alert Instance Management service when a specific command is configured. The issue affects versions prior to 2.0.6 and could allow an attacker to inject commands. The vulnerability is rated critical (CVSS v3....
CVE-2021-27644
CVE-2021-27644 affects Apache DolphinScheduler prior to 1.3.6. Authorized users can trigger SQL injection in the data source center when using a MySQL data source with internal login credentials, potentially exposing or altering data in the underlying database. The related records consistently de...
CVE-2024-29831
CVE-2024-29831 relates to an improper input validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server, potentially enabling remote code execution. Affected: DolphinScheduler; remediation guidance consistentl...
CVE-2023-49068
CVE-2023-49068 affects Apache DolphinScheduler (before 3.2.1). The issue is exposure of sensitive information to an unauthorized actor via logs, with risk of leaking session-related data. Root cause is that log statements in the DolphinScheduler codebase may retain sensitive fields (e.g., session...
CVE-2023-49620
CVE-2023-49620 affects Apache DolphinScheduler prior to 3.1.0. An authenticated user could delete UDF functions in the resource center (an operation commonly used by SQL tasks) due to an unauthorized access (IDOR) vulnerability. Red Hat, Veracode, GHSA and CVE records corroborate the issue, with ...
CVE-2024-43166
Summary (CVE-2024-43166) : Apache DolphinScheduler before 3.2.2 has an incorrect default permissions vulnerability. Multiple sources (Red Hat, NVD, OSV, CNVD, GHSA) reference the same issue and advise upgrading to 3.3.1 to fix it. The CVSSv3.1 score is listed as 9.8 (CRITICAL) with network attack...
CVE-2024-43115
CVE-2024-43115 affects Apache DolphinScheduler (pre-3.2.2). The issue is due to improper input validation, permitting an authenticated user to trigger execution of arbitrary shell scripts via the alert script. Upgrading to 3.3.1 is recommended and fixes the vulnerability. There is no exploitation...
CVE-2026-23902
CVE-2026-23902 concerns an Incorrect Authorization flaw in Apache DolphinScheduler. The weakness allows authenticated users with system login permissions to operate using tenants not defined on the platform during workflow execution. Affected versions are DolphinScheduler prior to 3.4.1; remediat...
CVE-2026-32967
The CVE-2026-32967 issue is an Incorrect Authorization vulnerability in Apache DolphinScheduler's /v2 experimental interface. Affected software: DolphinScheduler before version 3.4.2. Root cause: missing/incorrect permission checks on the /v2 endpoint. Impact: authorization bypass risk for the in...
CVE-2026-47340
CVE-2026-47340 describes an authorization flaw in Apache DolphinScheduler prior to 3.4.2 where authenticated users can access alert instances tied to alert groups they should not access. The issue affects DolphinScheduler up to version before 3.4.2; the recommended fix is upgrading to version 3.4...
CVE-2026-32966
The CVE affects Apache DolphinScheduler prior to 3.4.2. A missing authorization check in the DataSource API allows exposure of arbitrary data source metadata to unauthenticated users, enabling potential disclosure of sensitive information. The issue’s root cause is insufficient access control on ...
CVE-2026-41280
CVE-2026-41280 affects Apache DolphinScheduler prior to 3.4.2. The issue is an Incorrect Authorization vulnerability where users with system login privileges can delete task definitions in unauthorized projects due to insufficient access controls. The documented impact is deletion of task definit...
CVE-2026-42357
CVE-2026-42357 describes an Incorrect Authorization vulnerability in Apache DolphinScheduler. The issue allows users to access workflow instance information for projects they should not access. Affected versions are DolphinScheduler