Unsandboxed JavaScript Execution Vulnerability in Apache DolphinScheduler
CVE-2024-23320

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 23 February 2024

Summary

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Affected Version(s)

Apache DolphinScheduler 0 < 3.2.1

References

https://github.com/apache/dolphinscheduler/pull/15487

patch

https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfs...

issue-tracking

https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjd...

vendor-advisory

Timeline

Vulnerability published
Feb 23, 2024
Vulnerability Reserved
Jan 15, 2024

Credit

xuesong.zhou

Nbxiglk

Huang Atao