CVE-2024-29831

HIGH8.8EPSS 0.34%

Apache DolphinScheduler: RCE by arbitrary js execution

Published: 8/12/2024Modified: 3/19/2025

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

Affected packages (1)

Maven/org.apache.dolphinscheduler:dolphinschedulerfrom 0, < 3.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29831
PATCHhttps://github.com/apache/dolphinscheduler
WEBhttps://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0
WEBhttp://www.openwall.com/lists/oss-security/2024/08/09/6