DolphinScheduler mysql jdbc connector parameters deserialize remote code execution
CVE-2021-27644

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 1 November 2021

Summary

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

Affected Version(s)

Apache DolphinScheduler Apache DolphinScheduler < 1.3.6

References

https://lists.apache.org/thread.html/r35d6acf021486a390a7...

x_refsource_MISC

https://lists.apache.org/thread.html/r35d6acf021486a390a7...

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2021/11/01/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2021
Vulnerability Reserved
Feb 24, 2021

Credit

This issue was discovered by Jinchen Sheng of Ant FG Security Lab