CVE-2022-45875

Source
https://cve.org/CVERecord?id=CVE-2022-45875
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45875.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-45875
Aliases
Published
2023-01-04T14:57:45.334Z
Modified
2026-07-08T06:00:17.872034621Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
Details

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.0"
                },
                {
                    "last_affected": "3.0.1"
                },
                {
                    "introduced": "3.1"
                },
                {
                    "last_affected": "3.1.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/45xxx/CVE-2022-45875.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/dolphinscheduler

Affected ranges

Type
GIT
Repo
https://github.com/apache/dolphinscheduler
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:dolphinscheduler:3.1.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.2"
        },
        {
            "introduced": "3.1.0"
        },
        {
            "last_affected": "3.1.0"
        }
    ]
}

Affected versions

1.*
1.1.0-preview
3.*
3.0.0
3.0.0-beta-1
3.0.0-beta-2
3.0.1
3.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45875.json"