Description

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/01/3

https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E

https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E

Related Vulnerabilities

CVE-2020-2199 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2022-31151 Vulnerability in npm package undici

CVE-2020-26870 Vulnerability in npm package dompurify

CVE-2019-15597 Vulnerability in npm package node-df

CVE-2019-20330 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Critical

Classification

CWE-89 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory