Опубликовано: 30 дек. 2023
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 8.8
Описание
Apache DolphinScheduler: Arbitrary js execute as root for authenticated users
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9.
Users are recommended to upgrade to version 3.1.9, which fixes the issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-49299
- https://github.com/apache/dolphinscheduler/pull/15228
- https://github.com/apache/dolphinscheduler/commit/b5eddc0ce85d379080a51bf2162477f7d8c1b7d2
- https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
- http://www.openwall.com/lists/oss-security/2024/02/23/3
Пакеты
Наименование
org.apache.dolphinscheduler:dolphinscheduler-master
maven
Затронутые версииВерсия исправления
< 3.1.9
3.1.9
Связанные уязвимости
CVSS3: 8.8
nvd
около 2 лет назад
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue.