Dolphinscheduler
by Apache
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49068 | 0.00 | — | 0.01 | Nov 27, 2023 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory,… | |||
| CVE-2023-48796 | 0.00 | — | 0.01 | Nov 24, 2023 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment… | |||
| CVE-2023-25601 | 0.00 | — | 0.01 | Apr 20, 2023 | On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you… | |||
| CVE-2022-45875 | 0.00 | — | 0.03 | Jan 4, 2023 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by… | |||
| CVE-2022-26885 | 0.00 | — | 0.01 | Nov 24, 2022 | When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. | |||
| CVE-2022-45462 | 0.00 | — | 0.03 | Nov 23, 2022 | Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher | |||
| CVE-2022-34662 | 0.00 | — | 0.01 | Nov 1, 2022 | When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | |||
| CVE-2022-26884 | 0.00 | — | 0.01 | Oct 28, 2022 | Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | |||
| CVE-2022-25598 | 0.00 | — | 0.02 | Mar 30, 2022 | Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||
| CVE-2021-27644 | 0.00 | — | 0.02 | Nov 1, 2021 | In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | |||
| CVE-2020-13922 | 0.00 | — | 0.02 | Jan 11, 2021 | Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. |
- CVE-2023-49068Nov 27, 2023risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory,…
- CVE-2023-48796Nov 24, 2023risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment…
- CVE-2023-25601Apr 20, 2023risk 0.00cvss —epss 0.01
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you…
- CVE-2022-45875Jan 4, 2023risk 0.00cvss —epss 0.03
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by…
- CVE-2022-26885Nov 24, 2022risk 0.00cvss —epss 0.01
When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.
- CVE-2022-45462Nov 23, 2022risk 0.00cvss —epss 0.03
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher
- CVE-2022-34662Nov 1, 2022risk 0.00cvss —epss 0.01
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
- CVE-2022-26884Oct 28, 2022risk 0.00cvss —epss 0.01
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
- CVE-2022-25598Mar 30, 2022risk 0.00cvss —epss 0.02
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.
- CVE-2021-27644Nov 1, 2021risk 0.00cvss —epss 0.02
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
- CVE-2020-13922Jan 11, 2021risk 0.00cvss —epss 0.02
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.
Page 2 of 2