Moderate severityNVD Advisory· Published Apr 20, 2023· Updated Feb 13, 2025
Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication
CVE-2023-25601
Description
Apache DolphinScheduler 3.0.0–3.1.1 lacks authentication in the Python gateway, allowing unauthenticated socket-based attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler 3.0.0–3.1.1 lacks authentication in the Python gateway, allowing unauthenticated socket-based attacks.
Vulnerability
Overview
CVE-2023-25601 is an improper authentication vulnerability in the Apache DolphinScheduler Python gateway, affecting versions 3.0.0 through 3.1.1. The gateway fails to enforce authentication, allowing an attacker to send specially crafted socket bytes without any credentials [1][3].
Attack
Vector
The attack is performed over the network via the Python gateway socket, requiring no prior authentication. An attacker with network access to the DolphinScheduler service can exploit this flaw by sending malicious socket bytes directly to the gateway endpoint [1][3]. No user interaction or privileges are needed.
Impact
Successful exploitation could allow an attacker to execute arbitrary operations exposed by the Python gateway, potentially leading to compromise of the DolphinScheduler instance, including workflow manipulation, data access, or further lateral movement within the orchestration environment [1][3].
Mitigation
The vulnerability is fixed in Apache DolphinScheduler version 3.1.2 [4]. Users on affected versions should either disable the Python gateway by setting python-gateway.enabled=false in application.yaml, or upgrade to version 3.1.2 or later [1][3].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinscheduler-apiMaven | >= 3.0.0, < 3.1.2 | 3.1.2 |
Affected products
2- Range: 3.0.0
Patches
2f1aefae5e25d[maven-release-plugin] prepare release 3.1.2
90 files changed · +91 −91
dolphinscheduler-alert/dolphinscheduler-alert-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-api</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-dingtalk/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-dingtalk</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-email/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-email</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-feishu/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-feishu</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-http/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-http</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-pagerduty/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-pagerduty</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-script</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-slack/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-slack</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-telegram/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-telegram</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-webexteams/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-webexteams</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-wechat/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-wechat</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <packaging>pom</packaging>
dolphinscheduler-alert/dolphinscheduler-alert-server/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert-server</artifactId> <packaging>jar</packaging>
dolphinscheduler-alert/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-alert</artifactId> <packaging>pom</packaging>
dolphinscheduler-api/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-api</artifactId> <packaging>jar</packaging>
dolphinscheduler-bom/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-bom</artifactId> <packaging>pom</packaging>
dolphinscheduler-common/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-common</artifactId>
dolphinscheduler-dao/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-dao</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-data-quality/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-data-quality</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-all/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-all</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-api</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-athena/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-athena</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-clickhouse/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-clickhouse</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-db2/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-db2</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-hive/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-hive</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-mysql/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-mysql</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-oracle/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-oracle</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-postgresql/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-postgresql</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-presto/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-presto</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-redshift/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-redshift</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-spark/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-spark</artifactId>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-sqlserver/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-datasource-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-sqlserver</artifactId>
dolphinscheduler-datasource-plugin/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <packaging>pom</packaging>
dolphinscheduler-dist/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-dist</artifactId>
dolphinscheduler-master/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-master</artifactId>
dolphinscheduler-meter/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-meter</artifactId>
dolphinscheduler-microbench/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-microbench</artifactId>
dolphinscheduler-python/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-python</artifactId> <packaging>jar</packaging>
dolphinscheduler-registry/dolphinscheduler-registry-all/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-all</artifactId>
dolphinscheduler-registry/dolphinscheduler-registry-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-api</artifactId>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-etcd/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-etcd</artifactId>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-mysql/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-mysql</artifactId>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry-plugins</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-zookeeper</artifactId>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-registry</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry-plugins</artifactId> <packaging>pom</packaging>
dolphinscheduler-registry/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-registry</artifactId> <packaging>pom</packaging>
dolphinscheduler-remote/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-remote</artifactId>
dolphinscheduler-scheduler-plugin/dolphinscheduler-scheduler-api/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-scheduler-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-scheduler-api</artifactId>
dolphinscheduler-scheduler-plugin/dolphinscheduler-scheduler-quartz/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-scheduler-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-scheduler-quartz</artifactId>
dolphinscheduler-scheduler-plugin/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-scheduler-plugin</artifactId>
dolphinscheduler-service/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-service</artifactId>
dolphinscheduler-spi/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-spi</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-standalone-server/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-standalone-server</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-all/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-all</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-api/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-api</artifactId> <packaging>jar</packaging>
dolphinscheduler-task-plugin/dolphinscheduler-task-blocking/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-blocking</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-chunjun/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-chunjun</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-conditions/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-conditions</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-dataquality/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-dataquality</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-datax/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-datax</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-dependent/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-dependent</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-dinky/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-dinky</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-dvc/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-dvc</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-emr/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-emr</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-flink/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-flink</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-flink-stream/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-flink-stream</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-hivecli/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-hivecli</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-http/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-http</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-jupyter/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-jupyter</artifactId> <packaging>jar</packaging>
dolphinscheduler-task-plugin/dolphinscheduler-task-k8s/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-k8s</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-mlflow/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-mlflow</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-mr/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-mr</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-openmldb/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-openmldb</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-pigeon/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-pigeon</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-procedure/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-procedure</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-python/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-python</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-pytorch</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-sagemaker/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-sagemaker</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-seatunnel/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-seatunnel</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-shell/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-shell</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-spark/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-spark</artifactId> <packaging>jar</packaging>
dolphinscheduler-task-plugin/dolphinscheduler-task-sql/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-sql</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-sqoop/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-sqoop</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-subprocess/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-subprocess</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-switch/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-switch</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-zeppelin/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-task-plugin</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-zeppelin</artifactId> <packaging>jar</packaging>
dolphinscheduler-task-plugin/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-task-plugin</artifactId>
dolphinscheduler-tools/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-tools</artifactId>
dolphinscheduler-ui/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-ui</artifactId>
dolphinscheduler-worker/pom.xml+1 −1 modified@@ -23,7 +23,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> </parent> <artifactId>dolphinscheduler-worker</artifactId>
pom.xml+2 −2 modified@@ -24,7 +24,7 @@ </parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>3.1.2-SNAPSHOT</version> + <version>3.1.2</version> <packaging>pom</packaging> <name>${project.artifactId}</name> <description>Dolphin Scheduler is a distributed and easy-to-expand visual DAG workflow scheduling system, dedicated @@ -769,7 +769,7 @@ <connection>scm:git:https://github.com/apache/dolphinscheduler.git</connection> <developerConnection>scm:git:https://github.com/apache/dolphinscheduler.git</developerConnection> <url>https://github.com/apache/dolphinscheduler</url> - <tag>HEAD</tag> + <tag>3.1.2</tag> </scm> <profiles>
6d8befa0752c[fix] Add token as authentication for python gateway (#12893)
4 files changed · +27 −74
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/configuration/PythonGatewayConfiguration.java+7 −61 modified@@ -17,13 +17,14 @@ package org.apache.dolphinscheduler.api.configuration; +import lombok.Data; + import org.springframework.boot.context.properties.ConfigurationProperties; -import org.springframework.boot.context.properties.EnableConfigurationProperties; -import org.springframework.stereotype.Component; +import org.springframework.context.annotation.Configuration; -@Component -@EnableConfigurationProperties -@ConfigurationProperties(value = "python-gateway", ignoreUnknownFields = false) +@Data +@Configuration +@ConfigurationProperties(value = "python-gateway") public class PythonGatewayConfiguration { private boolean enabled; @@ -33,60 +34,5 @@ public class PythonGatewayConfiguration { private int pythonPort; private int connectTimeout; private int readTimeout; - - public boolean getEnabled() { - return enabled; - } - - public void setEnabled(boolean enabled) { - this.enabled = enabled; - } - - public String getGatewayServerAddress() { - return gatewayServerAddress; - } - - public void setGatewayServerAddress(String gatewayServerAddress) { - this.gatewayServerAddress = gatewayServerAddress; - } - - public int getGatewayServerPort() { - return gatewayServerPort; - } - - public void setGatewayServerPort(int gatewayServerPort) { - this.gatewayServerPort = gatewayServerPort; - } - - public String getPythonAddress() { - return pythonAddress; - } - - public void setPythonAddress(String pythonAddress) { - this.pythonAddress = pythonAddress; - } - - public int getPythonPort() { - return pythonPort; - } - - public void setPythonPort(int pythonPort) { - this.pythonPort = pythonPort; - } - - public int getConnectTimeout() { - return connectTimeout; - } - - public void setConnectTimeout(int connectTimeout) { - this.connectTimeout = connectTimeout; - } - - public int getReadTimeout() { - return readTimeout; - } - - public void setReadTimeout(int readTimeout) { - this.readTimeout = readTimeout; - } + private String authToken; }
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/python/PythonGateway.java+14 −13 modified@@ -62,8 +62,10 @@ import org.apache.dolphinscheduler.spi.enums.ResourceType; import py4j.GatewayServer; +import py4j.GatewayServer.GatewayServerBuilder; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang3.StringUtils; import java.io.IOException; import java.net.InetAddress; @@ -657,28 +659,27 @@ public Integer createOrUpdateResource( @PostConstruct public void init() { - if (pythonGatewayConfiguration.getEnabled()) { + if (pythonGatewayConfiguration.isEnabled()) { this.start(); } } private void start() { - GatewayServer server; try { InetAddress gatewayHost = InetAddress.getByName(pythonGatewayConfiguration.getGatewayServerAddress()); - InetAddress pythonHost = InetAddress.getByName(pythonGatewayConfiguration.getPythonAddress()); - server = new GatewayServer( - this, - pythonGatewayConfiguration.getGatewayServerPort(), - pythonGatewayConfiguration.getPythonPort(), - gatewayHost, - pythonHost, - pythonGatewayConfiguration.getConnectTimeout(), - pythonGatewayConfiguration.getReadTimeout(), - null); + GatewayServerBuilder serverBuilder = new GatewayServer.GatewayServerBuilder() + .entryPoint(this) + .javaAddress(gatewayHost) + .javaPort(pythonGatewayConfiguration.getGatewayServerPort()) + .connectTimeout(pythonGatewayConfiguration.getConnectTimeout()) + .readTimeout(pythonGatewayConfiguration.getReadTimeout()); + if (!StringUtils.isEmpty(pythonGatewayConfiguration.getAuthToken())) { + serverBuilder.authToken(pythonGatewayConfiguration.getAuthToken()); + } + GatewayServer.turnLoggingOn(); logger.info("PythonGatewayService started on: " + gatewayHost.toString()); - server.start(); + serverBuilder.build().start(); } catch (UnknownHostException e) { logger.error("exception occurred while constructing PythonGatewayService().", e); }
dolphinscheduler-api/src/main/resources/application.yaml+3 −0 modified@@ -127,6 +127,9 @@ metrics: python-gateway: # Weather enable python gateway server or not. The default value is true. enabled: true + # Authentication token for connection from python api to python gateway server. Should be changed the default value + # when you deploy in public network. + auth-token: jwUDzpLsNKEFER4*a8gruBH_GsAurNxU7A@Xc # The address of Python gateway server start. Set its value to `0.0.0.0` if your Python API run in different # between Python gateway server. It could be be specific to other address like `127.0.0.1` or `localhost` gateway-server-address: 0.0.0.0
dolphinscheduler-standalone-server/src/main/resources/application.yaml+3 −0 modified@@ -188,6 +188,9 @@ alert: python-gateway: # Weather enable python gateway server or not. The default value is true. enabled: true + # Authentication token for connection from python api to python gateway server. Should be changed the default value + # when you deploy in public network. + auth-token: jwUDzpLsNKEFER4*a8gruBH_GsAurNxU7A@Xc # The address of Python gateway server start. Set its value to `0.0.0.0` if your Python API run in different # between Python gateway server. It could be be specific to other address like `127.0.0.1` or `localhost` gateway-server-address: 0.0.0.0
Vulnerability mechanics
Root cause
"The Python gateway server in Apache DolphinScheduler accepted socket connections without any authentication, allowing any network peer to send commands."
Attack vector
An attacker who can reach the Python gateway port (default gateway-server-port) can open a raw socket connection and send arbitrary Py4J commands without providing any credentials. The gateway server did not validate the identity of the connecting client, so the attacker can invoke any exposed Java method on the gateway entry point. This gives the attacker the same control over the DolphinScheduler API as a legitimate Python client, including creating workflows, managing resources, and executing commands. The vulnerability is exploitable over the network without any prior authentication or user interaction [patch_id=1641048].
Affected code
The vulnerability resides in `PythonGateway.java` where the `start()` method constructed a `GatewayServer` without passing an authentication token (the last `null` argument in the old constructor) [patch_id=1641048]. The `PythonGatewayConfiguration.java` class lacked an `authToken` field, so no token could be configured. The fix modifies both files and adds the `auth-token` property to the `application.yaml` configuration files.
What the fix does
The patch introduces an `authToken` configuration property in `PythonGatewayConfiguration` and passes it to the Py4J `GatewayServerBuilder` via `serverBuilder.authToken()` when the token is non-empty [patch_id=1641048]. The Py4J library then enforces that connecting Python clients must supply the matching token before any method calls are accepted. The default token value `jwUDzpLsNKEFER4*a8gruBH_GsAurNxU7A@Xc` is set in both `application.yaml` files, and administrators are advised to change it for public deployments. This closes the authentication gap by requiring a shared secret for every gateway connection.
Preconditions
- configThe python-gateway feature must be enabled (enabled: true, which is the default)
- networkThe attacker must have network access to the gateway server port (default gateway-server-port)
- inputNo authentication token was configured (pre-patch, no token mechanism existed)
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3jxw-cv35-2mmvghsaADVISORY
- lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-25601ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/04/20/10ghsaWEB
- github.com/apache/dolphinscheduler/pull/12893ghsaWEB
- github.com/apache/dolphinscheduler/releases/tag/3.1.2ghsaWEB
News mentions
0No linked articles in our index yet.