Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.
The error consists of incorrect default permissions configuration in Apache DolphinScheduler software. According to the CVSS vector, the exploit does not require authentication or user interaction, and the attack can be conducted remotely over the network. Incorrect permissions may enable unauthorized access to resources or operations that should be protected.
An attacker can gain full access to the system — compromising confidentiality, integrity, and availability of data — without needing to possess any permissions or credentials.
Apache DolphinScheduler should be updated immediately to version 3.3.1, which contains a patch eliminating the vulnerability. Details are available in the vendor references at: https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk
Apache DolphinScheduler in versions before 3.2.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Dolphinscheduler
APPApache< 3.2.2
Related vulnerabilities
RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia
RCE w Apache DolphinScheduler — zdalne wykonanie kodu bez uwierzytelnienia
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execu...
Alarm instance management has command injection when there is a specific command configured. It is only for lo...
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when c...