GHSA-3xh5-8hvq-rc8x

Source

https://github.com/advisories/GHSA-3xh5-8hvq-rc8x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-3xh5-8hvq-rc8x/GHSA-3xh5-8hvq-rc8x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3xh5-8hvq-rc8x

Aliases

Published

2023-01-04T15:30:19Z

Modified

2024-09-04T19:46:06.399816Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache DolphinScheduler vulnerable to Improper Input Validation

Details

Apache DolphinScheduler improperly validates script alert plugin parameters and is vulnerable to remote command execution. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. Users should upgrade to version 3.0.2 or 3.1.1.

Database specific

{
    "nvd_published_at": "2023-01-04T15:15:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-06T21:35:26Z"
}

References

Affected packages

Maven / org.apache.dolphinscheduler:dolphinscheduler

Package

Name: org.apache.dolphinscheduler:dolphinscheduler; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dolphinscheduler/dolphinscheduler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.2

Affected versions

1.*

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

2.*

2.0.0-alpha

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

3.*

3.0.0-alpha

3.0.0-beta-1

3.0.0-beta-2

3.0.0

3.0.1

Maven / org.apache.dolphinscheduler:dolphinscheduler

Package

Name: org.apache.dolphinscheduler:dolphinscheduler; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dolphinscheduler/dolphinscheduler