CVE-2024-43166
Description
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler before 3.2.2 has incorrect default permissions, potentially allowing unauthorized access; fixed in 3.3.1.
Vulnerability
Overview
CVE-2024-43166 is an Incorrect Default Permissions vulnerability in Apache DolphinScheduler, affecting versions before 3.2.2 [1]. This flaw arises from improperly configured default permissions within the platform, which could allow entities to gain access levels beyond those intended by administrators.
Exploitation and
Attack Surface
The vulnerability is present in the default configuration of Apache DolphinScheduler, an open-source data orchestration platform used for workflow management [2]. The platform supports multi-tenancy and permission controls for projects and data sources. Exploitation likely requires initial access to the DolphinScheduler system, possibly through a user account with limited permissions, and then leveraging the misconfigured defaults to escalate privileges or access restricted resources.
Impact
Successful exploitation could lead to unauthorized access to sensitive workflows, data sources, or administrative functions, potentially compromising the integrity and confidentiality of orchestrated data pipelines. The exact impact depends on the specific permissions that are misconfigured and the resources exposed.
Mitigation
Users are recommended to upgrade to Apache DolphinScheduler version 3.3.1, which fixes the issue [1]. The vendor's advisory (NVD) also notes that versions before 3.2.2 are affected. No workarounds are detailed in the provided references beyond upgrading.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.3.1 | 3.3.1 |
Affected products
2- Range: <3.2.2
- Apache Software Foundation/Apache DolphinSchedulerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rrpj-r8h7-rm7rghsaADVISORY
- lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhkghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43166ghsaADVISORY
News mentions
0No linked articles in our index yet.