CVE-2022-45875

Опубликовано: 04 янв. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

Ссылки

http://www.openwall.com/lists/oss-security/2023/11/22/2
https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/11/22/2
https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

Версия до 3.0.2 (исключая)

cpe:2.3:a:apache:dolphinscheduler:3.1.0:*:*:*:*:*:*:*

EPSS

Процентиль: 87%

0.03121

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-20

Связанные уязвимости

GHSA-3xh5-8hvq-rc8x