apache/dolphinscheduler

apache/dolphinscheduler

dolphinscheduler.apache.org

Releases65

Frequency1 month 1 week

Last Release 5 days ago

Stars14.3K

Apache DolphinScheduler is the modern data orchestration platform. Agile to create high performance workflow with low-code

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-43202 ↗	Aug 20, 2024Tuesday, 20 August 2024, 08:15	9.8 CRITICAL	—
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.
CVE-2024-23320 ↗	Feb 23, 2024Friday, 23 February 2024, 17:15	8.8 HIGH	—
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue.
CVE-2023-49250 ↗	Feb 20, 2024Tuesday, 20 February 2024, 10:15	7.3 HIGH	—
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue.
CVE-2023-50270 ↗	Feb 20, 2024Tuesday, 20 February 2024, 10:15	6.5 MEDIUM	—
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.
CVE-2023-51770 ↗	Feb 20, 2024Tuesday, 20 February 2024, 10:15	7.5 HIGH	—
Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
CVE-2023-49109 ↗	Feb 20, 2024Tuesday, 20 February 2024, 10:15	9.8 CRITICAL	—
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
CVE-2023-49299 ↗	Dec 30, 2023Saturday, 30 December 2023, 17:15	8.8 HIGH	—
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue.
CVE-2023-49620 ↗	Nov 30, 2023Thursday, 30 November 2023, 09:15	6.5 MEDIUM	—
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability
CVE-2023-49068 ↗	Nov 27, 2023Monday, 27 November 2023, 10:15	7.5 HIGH	—
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.