Dolphinscheduler Apache Dolphinscheduler

Do you want an email whenever new security vulnerabilities are reported in Apache Dolphinscheduler?

By the Year

In 2023 there have been 1 vulnerability in Apache Dolphinscheduler with an average score of 9.8 out of ten. Last year Dolphinscheduler had 5 security vulnerabilities published. Right now, Dolphinscheduler is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 2.24.

Year Vulnerabilities Average Score
2023 1 9.80
2022 5 7.56
2021 2 7.65
2020 1 9.80
2019 0 0.00
2018 0 0.00

It may take a day or so for new Dolphinscheduler vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Dolphinscheduler Security Vulnerabilities

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability

CVE-2022-45875 9.8 - Critical - January 04, 2023

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.

Improper Input Validation

When using tasks to read config files, there is a risk of database password disclosure

CVE-2022-26885 7.5 - High - November 24, 2022

When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.

Insufficiently Protected Credentials

Alarm instance management has command injection when there is a specific command configured

CVE-2022-45462 9.8 - Critical - November 23, 2022

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

Command Injection

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users

CVE-2022-34662 6.5 - Medium - November 01, 2022

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

Directory traversal

Users can read any files by log server

CVE-2022-26884 6.5 - Medium - October 28, 2022

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.

Directory traversal

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks

CVE-2022-25598 7.5 - High - March 30, 2022

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

Resource Exhaustion

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center

CVE-2021-27644 8.8 - High - November 01, 2021

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

SQL Injection

Versions of Apache DolphinScheduler prior to 1.3.2

CVE-2020-13922 6.5 - Medium - January 11, 2021

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

Incorrect Default Permissions

In DolphinScheduler 1.2.0 and 1.2.1

CVE-2020-11974 9.8 - Critical - December 18, 2020

In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Dolphinscheduler or by Apache? Click the Watch button to subscribe.

Apache
Vendor

subscribe