Apache DolphinScheduler: Resource File Read And Write Vulnerability
Description
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.
Users are recommended to upgrade to version 3.2.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can read and write arbitrary resource files in Apache DolphinScheduler versions before 3.2.2, leading to unauthorized file access.
Vulnerability
CVE-2024-30188 is a file read and write vulnerability in Apache DolphinScheduler, an open-source distributed workflow scheduler. The issue stems from insufficient access control checks, allowing authenticated users to access resource files that they should not be able to read or write. This affects versions from 3.1.0 up to (but not including) 3.2.2 [1].
Exploitation
An attacker must have a valid authenticated session in DolphinScheduler. No special privileges are required beyond standard user authentication. The vulnerability can be exploited by manipulating file access requests to bypass intended restrictions, enabling the attacker to read or write arbitrary resource files stored on the server.
Impact
Successful exploitation allows an attacker to read sensitive information from other users' resource files, such as configuration data or scripts, and potentially write malicious content to files, leading to further compromise of the system's data integrity and confidentiality.
Mitigation
The Apache Software Foundation has fixed this vulnerability in DolphinScheduler version 3.2.2. Users are strongly recommended to upgrade to this version or later to mitigate the risk. No workarounds are known for unpatched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 3.1.0, < 3.2.2 | 3.2.2 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4vv4-crw4-8pcwghsaADVISORY
- lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-30188ghsaADVISORY
News mentions
0No linked articles in our index yet.