Apache DolphinScheduler Alert Plugin is vulnerable to os command injection attacks. The vulnerability exists in executeShellScript
function of ScriptSender.java
because the scripts are not validated before the alert script which allows an attacker to inject and execute arbitrary commands into the system.
www.openwall.com/lists/oss-security/2022/11/23/1
github.com/advisories/GHSA-wqg7-mx6p-2rw3
github.com/apache/dolphinscheduler/commit/69810a8a36060ae7e138fd7cdffdf2acc9eedd3b
github.com/apache/dolphinscheduler/pull/10744
github.com/apache/dolphinscheduler/pull/9834
lists.apache.org/thread/2f126y32bf1v3mvxkdgt2jr5j3l1t01w