CVE-2020-11974
Description
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote code execution vulnerability in Apache DolphinScheduler 1.2.0 and 1.2.1 when using MySQL as database via malicious JDBC connection.
Vulnerability
Overview The vulnerability exists in Apache DolphinScheduler versions 1.2.0 and 1.2.1 when MySQL is selected as the database, specifically through the MySQL Connector/J driver. The exact mechanism involves improper handling of JDBC connection parameters, allowing an attacker to inject malicious code.
Attack
Vector To exploit this vulnerability, an attacker must be able to influence the JDBC connection configuration when DolphinScheduler is set to use MySQL. This could occur if an attacker has control over database connection settings (e.g., via configuration files or network injection). The attack does not require authentication to DolphinScheduler itself but requires the ability to modify the JDBC URL or driver settings.
Impact
Successful exploitation leads to remote code execution on the DolphinScheduler server. An attacker could execute arbitrary commands, potentially compromising the entire system and its data.
Mitigation
The vulnerability has been addressed in later versions of DolphinScheduler (post 1.2.1). Users are advised to upgrade to a patched release. As of the publication date, no workaround is documented. The issue is tracked as CVE-2020-11974 and referenced in related security advisories [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 1.3.0 | 1.3.0 |
Affected products
2- DolphinScheduler/DolphinSchedulerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-jpj4-5xwp-cv23ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11974ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/09/8ghsamailing-listWEB
- lists.apache.org/thread.html/r0de5e3d5516467c9429a8d4356eca17ccf156337345ac6b104748acb%40%3Ccommits.dolphinscheduler.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r0de5e3d5516467c9429a8d4356eca17ccf156337345ac6b104748acb@%3Ccommits.dolphinscheduler.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r33452d7b99a293bcf8f3e4bd664943847e2602e03a9e45d09d3f508a%40%3Ccommits.dolphinscheduler.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r33452d7b99a293bcf8f3e4bd664943847e2602e03a9e45d09d3f508a@%3Ccommits.dolphinscheduler.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9fbe24539a873032b3e41243d44a730d6a2aae26335ac1e3271ea47d%40%3Ccommits.dolphinscheduler.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r9fbe24539a873032b3e41243d44a730d6a2aae26335ac1e3271ea47d@%3Ccommits.dolphinscheduler.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra81adacbfdd6f166f9cf155340674ffd4179386b8b75068639547c11%40%3Ccommits.dolphinscheduler.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/ra81adacbfdd6f166f9cf155340674ffd4179386b8b75068639547c11@%3Ccommits.dolphinscheduler.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rcbe4c248ef0c566e99fd19388a6c92aeef88167286546b675e9b1769%40%3Cdev.dolphinscheduler.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.