Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yYzZoLXF3ajktMmM1M84AA5em

Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Permalink: https://github.com/advisories/GHSA-rc6h-qwj9-2c53
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yYzZoLXF3ajktMmM1M84AA5em
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 2 months ago
Updated: 2 months ago

Identifiers: GHSA-rc6h-qwj9-2c53, CVE-2024-23320
References:

Repository: https://github.com/apache/dolphinscheduler
Blast Radius: 1.0

Affected Packages

maven:org.apache.dolphinscheduler:dolphinscheduler

Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 3.2.1
Fixed in: 3.2.1
All affected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0
All unaffected versions: 3.2.1