Apache DolphinScheduler: Arbitrary File Read Vulnerability

Vulnerability

Overview

CVE-2023-51770 is an arbitrary file read vulnerability in Apache DolphinScheduler, affecting versions 1.2.0 through 3.2.0 (before 3.2.1). The root cause lies in insufficient input validation within the API layer, specifically related to MySQL connection properties as addressed in the fix [4]. This flaw allows an attacker to read arbitrary files from the server's filesystem without proper authorization [1][3].

Exploitation and

Attack Surface

The vulnerability is exploitable via the web API or user interface of DolphinScheduler. An attacker does not require high privileges but must have network access to a vulnerable instance. The attack can be executed by sending crafted requests that manipulate file read operations, bypassing intended access controls. No authentication is strictly necessary, although some exposure may depend on deployment configuration [3]. The open-source project's GitHub page indicates that DolphinScheduler provides a wide range of built-in job types and API endpoints, which expand the attack surface [2].

Impact

Successful exploitation enables an attacker to read sensitive files on the server, including configuration files, credentials, private keys, and other proprietary data. This could lead to further compromise of the DolphinScheduler environment and associated data sources. The severity is rated as important, and the vulnerability has been reported by security researchers [3].

Mitigation

Apache has released version 3.2.1, which fixes the issue by enhancing input validation in the affected API [1][4]. Users are strongly advised to upgrade immediately. There are no known workarounds; upgrading is the only reliable mitigation. The fix is included in the project's main branch and pull request #15433 [4].