Unsandboxed JavaScript Execution Vulnerability in Apache DolphinScheduler
CVE-2024-23320

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Dolphinscheduler
Vendor
CVE Published:
23 February 2024

Summary

An input validation vulnerability discovered in Apache DolphinScheduler allows authenticated users to execute arbitrary, unsandboxed JavaScript on the server. This flaw stems from a prior vulnerability (CVE-2023-49299) that was not fully resolved. Affected users are encouraged to upgrade to version 3.2.1, which implements a comprehensive patch to address this issue.

Affected Version(s)

Apache DolphinScheduler 0 < 3.2.1

References

https://github.com/apache/dolphinscheduler/pull/15487
patch
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfs...
issue-tracking
https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjd...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

xuesong.zhou
Nbxiglk
Huang Atao
.