Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
Description
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper validation in Apache DolphinScheduler's script alert plugin allows authenticated users to execute remote commands, affecting versions up to 3.0.1 and 3.1.0.
Vulnerability
Description
CVE-2022-45875 is a remote command execution vulnerability in the Apache DolphinScheduler script alert plugin. The plugin fails to properly validate parameters passed to it, allowing an attacker to inject arbitrary commands. This issue stems from insufficient input sanitization, which can be exploited by an authenticated user [1][3].
Exploitation
Conditions
The attack requires the attacker to have valid credentials to log into the DolphinScheduler web interface. Once authenticated, the attacker can craft malicious parameters within the script alert plugin to execute arbitrary commands on the server. The vulnerability affects versions 3.0.1 and prior, as well as versions 3.1.0 and prior [1][3]. The attack can be performed remotely if the DolphinScheduler web UI is accessible over the network.
Impact
Successful exploitation allows an attacker to execute arbitrary commands within the context of the DolphinScheduler service, potentially leading to full compromise of the server, data exfiltration, or disruption of workflows. Given DolphinScheduler's role as a data orchestration platform, this could have significant impact on data pipelines and integrated systems.
Mitigation
The Apache DolphinScheduler project has addressed this issue in subsequent releases. Users are strongly advised to upgrade to the latest version of DolphinScheduler to remediate this vulnerability. No workarounds have been identified for the affected versions [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.0.2 | 3.0.2 |
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3xh5-8hvq-rc8xghsaADVISORY
- lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6rghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-45875ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/22/2ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-4.yamlghsaWEB
News mentions
0No linked articles in our index yet.