Description

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/01/3

https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E

https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E

Related Vulnerabilities

CVE-2020-2282 Vulnerability in maven package org.jenkins-ci.plugins:implied-labels

CVE-2021-23358 Vulnerability in npm package underscore

CVE-2020-2217 Vulnerability in maven package org.jenkins-ci.plugins:compatibility-action-storage

CVE-2019-3772 Vulnerability in maven package org.springframework.integration:spring-integration-ws

CVE-2019-14772 Vulnerability in npm package verdaccio

Severity

Critical

Classification

CWE-89 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory