CVE-2021-27644
SQL injection in Apache DolphinScheduler
8.8
HIGH
CVSS 3.1
EPSS 1.2%
Description
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
How to fix CVE-2021-27644
To remediate CVE-2021-27644, upgrade the affected package to a fixed version below.
- Maven/org.apache.dolphinscheduler:dolphinscheduler-server—upgrade to 1.3.6 or later
Is CVE-2021-27644 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (4)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27644
- WEBlists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6@%3Cdev.dolphinscheduler.apache.org%3E
- WEBlists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E
- WEB