Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12N2hnLTc3djktMjQ0Nc4AA4HT
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.
Users are recommended to upgrade to version 3.1.9, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-v7hg-77v9-2445JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12N2hnLTc3djktMjQ0Nc4AA4HT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-v7hg-77v9-2445, CVE-2023-49299
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49299
- https://github.com/apache/dolphinscheduler/pull/15228
- https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
- https://github.com/apache/dolphinscheduler/commit/b5eddc0ce85d379080a51bf2162477f7d8c1b7d2
- http://www.openwall.com/lists/oss-security/2024/02/23/3
- https://github.com/advisories/GHSA-v7hg-77v9-2445
Blast Radius: 15.8
Affected Packages
maven:org.apache.dolphinscheduler:dolphinscheduler-master
Dependent packages: 2Dependent repositories: 62
Downloads:
Affected Version Ranges: < 3.1.9
Fixed in: 3.1.9
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8
All unaffected versions: 3.1.9, 3.2.0, 3.2.1