8.8

CVE-2024-23320

Apache DolphinScheduler: Arbitrary js execution as root for authenticated users

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheDolphinscheduler Version < 3.2.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.39% 0.687
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.openwall.com/lists/oss-security/2024/02/23/3
Third Party Advisory
Mailing List
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
Vendor Advisory
https://github.com/apache/dolphinscheduler/pull/15487
Patch
Issue Tracking
https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq
Vendor Advisory
https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp
Vendor Advisory