CVE-2024-29831

HIGH8.8EPSS 0.34%

Apache DolphinScheduler: RCE by arbitrary js execution

發布日:2024/8/12修改日:2025/3/19

描述

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

受影響套件(1)

Maven/org.apache.dolphinscheduler:dolphinschedulerfrom 0, < 3.2.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29831
PATCHhttps://github.com/apache/dolphinscheduler
WEBhttps://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0
WEBhttp://www.openwall.com/lists/oss-security/2024/08/09/6