cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-43202,https://securityvulnerability.io/vulnerability/CVE-2024-43202,DolphinScheduler Remote Code Execution Vulnerability,"Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.",Apache,Apache Dolphinscheduler,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-08-20T07:29:43.170Z,0 CVE-2024-29831,https://securityvulnerability.io/vulnerability/CVE-2024-29831,Arbitrary JavaScript Execution Vulnerability Affects Apache DolphinScheduler,"Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.",Apache,Apache Dolphinscheduler,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-08-12T13:38:00.000Z,0 CVE-2024-30188,https://securityvulnerability.io/vulnerability/CVE-2024-30188,Illegal Access to Additional Resource Files via File Read/Write Vulnerability,"A file read and write vulnerability exists in Apache DolphinScheduler that allows authenticated users to gain unauthorized access to additional resource files. This security flaw affects versions from 3.1.0 up to, but not including, 3.2.2, creating potential risks for data integrity and confidentiality. Users are strongly advised to upgrade to version 3.2.2 to mitigate the vulnerability, ensuring the security of their environments and data.",Apache,Apache Dolphinscheduler,8.1,HIGH,0.06321000307798386,false,,false,false,false,,,false,false,,2024-08-12T13:38:00.000Z,0 CVE-2024-23320,https://securityvulnerability.io/vulnerability/CVE-2024-23320,Unsandboxed JavaScript Execution Vulnerability in Apache DolphinScheduler,"Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. ",Apache,Apache Dolphinscheduler,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-23T16:57:09.741Z,0 CVE-2023-51770,https://securityvulnerability.io/vulnerability/CVE-2023-51770,Arbitrary File Read Vulnerability in Apache DolphinScheduler,"Apache DolphinScheduler has a vulnerability that allows for arbitrary file reading, potentially exposing sensitive information. This issue affects all versions prior to 3.2.1. Users are strongly advised to upgrade to version 3.2.1 to mitigate this security risk and protect their systems from unauthorized access to files.",Apache,Apache DolphinScheduler,7.5,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2024-02-20T10:02:12.991Z,0 CVE-2023-50270,https://securityvulnerability.io/vulnerability/CVE-2023-50270,Apache DolphinScheduler Session Fixation Vulnerability,"Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.",Apache,Apache Dolphinscheduler,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-20T10:01:32.260Z,0 CVE-2023-49250,https://securityvulnerability.io/vulnerability/CVE-2023-49250,Certificate Verification Vulnerability Affects Apache DolphinScheduler,"Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue. ",Apache,Apache Dolphinscheduler,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-20T10:00:06.733Z,0 CVE-2023-49109,https://securityvulnerability.io/vulnerability/CVE-2023-49109,Remote Code Execution Vulnerability Affects Apache DolphinScheduler,"Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. ",Apache,Apache Dolphinscheduler,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-02-20T09:58:56.779Z,0 CVE-2023-49299,https://securityvulnerability.io/vulnerability/CVE-2023-49299,Arbitrary JavaScript Execution Vulnerability in Apache DolphinScheduler,"An improper input validation vulnerability has been identified in Apache DolphinScheduler, allowing authenticated users to execute arbitrary, unsandboxed JavaScript on the server. This flaw affects versions prior to 3.1.9. To mitigate risks associated with this vulnerability, it is crucial for users to upgrade to the patched version, 3.1.9, as it addresses this security issue.",Apache,Apache Dolphinscheduler,8.8,HIGH,0.001560000004246831,false,,false,false,false,,,false,false,,2023-12-30T17:15:00.000Z,0 CVE-2023-49620,https://securityvulnerability.io/vulnerability/CVE-2023-49620,Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized for,"Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability",Apache,Apache DolphinScheduler,6.5,MEDIUM,0.0010100000072270632,false,,false,false,false,,,false,false,,2023-11-30T09:15:00.000Z,0 CVE-2023-49068,https://securityvulnerability.io/vulnerability/CVE-2023-49068,Apache DolphinScheduler: Information Leakage Vulnerability,"A vulnerability in Apache DolphinScheduler allows unauthorized actors to access sensitive information, exposing logs and potentially compromising user data. Users are advised to restrict log access to trusted operators and upgrade to version 3.2.1 as a remedial measure.",Apache,Apache DolphinScheduler,7.5,HIGH,0.0005799999926239252,false,,false,false,false,,,false,false,,2023-11-27T10:15:00.000Z,0 CVE-2023-48796,https://securityvulnerability.io/vulnerability/CVE-2023-48796,Apache dolphinscheduler sensitive information disclosure,"A vulnerability in Apache DolphinScheduler allows unauthorized actors to access sensitive information, including database credentials. This issue affects versions from 3.0.0 to 3.0.1. Users are advised to upgrade to version 3.0.2 to mitigate this exposure. For those unable to upgrade, a temporary workaround involves configuring the environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus`, or adapting the `application.yaml` settings to restrict endpoint exposure.",Apache,Apache DolphinScheduler,7.5,HIGH,0.000699999975040555,false,,false,false,false,,,false,false,,2023-11-24T08:15:00.000Z,0 CVE-2023-25601,https://securityvulnerability.io/vulnerability/CVE-2023-25601,Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication,"On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above. ",Apache,Apache Dolphinscheduler,4.3,MEDIUM,0.002360000042244792,false,,false,false,false,,,false,false,,2023-04-20T16:15:00.000Z,0 CVE-2022-45875,https://securityvulnerability.io/vulnerability/CVE-2022-45875,Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin,"The vulnerability in Apache DolphinScheduler arises from improper validation of script alert plugin parameters, which may lead to remote command execution attacks. This security flaw specifically affects authenticated users who can log in to DolphinScheduler, allowing them to exploit the issue on versions up to 3.1.0 and earlier. It's crucial for users and administrators to implement the recommended patches and monitor access to mitigate potential risks.",Apache,Apache Dolphinscheduler,9.8,CRITICAL,0.002520000096410513,false,,false,false,false,,,false,false,,2023-01-04T14:57:45.334Z,0 CVE-2022-26885,https://securityvulnerability.io/vulnerability/CVE-2022-26885,Apache DolphinScheduler config file read by task risk,"When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.",Apache,Apache Dolphinscheduler,7.5,HIGH,0.0008399999933317304,false,,false,false,false,,,false,false,,2022-11-24T00:00:00.000Z,0 CVE-2022-45462,https://securityvulnerability.io/vulnerability/CVE-2022-45462,Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability,Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher,Apache,Apache Dolphinscheduler,9.8,CRITICAL,0.010759999975562096,false,,false,false,false,,,false,false,,2022-11-23T00:00:00.000Z,0 CVE-2022-34662,https://securityvulnerability.io/vulnerability/CVE-2022-34662,Apache DolphinScheduler prior to 3.0.0 allows path traversal,When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher,Apache,Apache Dolphinscheduler,6.5,MEDIUM,0.0005300000193528831,false,,false,false,false,,,false,false,,2022-11-01T00:00:00.000Z,0 CVE-2022-26884,https://securityvulnerability.io/vulnerability/CVE-2022-26884,Apache DolphinScheduler exposes files without authentication,"Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.",Apache,Apache Dolphinscheduler,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2022-10-28T00:00:00.000Z,0 CVE-2022-25598,https://securityvulnerability.io/vulnerability/CVE-2022-25598,Apache DolphinScheduler user registration is vulnerable to ReDoS attacks,"Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.",Apache,Apache Dolphinscheduler,7.5,HIGH,0.001019999966956675,false,,false,false,false,,,false,false,,2022-03-30T09:20:12.000Z,0 CVE-2021-27644,https://securityvulnerability.io/vulnerability/CVE-2021-27644,DolphinScheduler mysql jdbc connector parameters deserialize remote code execution,"In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)",Apache,Apache Dolphinscheduler,8.8,HIGH,0.004139999859035015,false,,false,false,false,,,false,false,,2021-11-01T09:15:10.000Z,0 CVE-2020-13922,https://securityvulnerability.io/vulnerability/CVE-2020-13922,Apache DolphinScheduler (incubating) Permission vulnerability,Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.,Apache,Apache Dolphinscheduler,6.5,MEDIUM,0.0008800000068731606,false,,false,false,false,,,false,false,,2021-01-11T09:40:19.000Z,0 CVE-2020-11974,https://securityvulnerability.io/vulnerability/CVE-2020-11974,,"In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.",Apache,Apache Dolphinscheduler(incubating),9.8,CRITICAL,0.053780000656843185,false,,false,false,false,,,false,false,,2020-12-18T20:45:21.000Z,0