CVE-2023-49299 – org.apache.dolphinscheduler:dolphinscheduler-master

Package

Manager: maven
Name: org.apache.dolphinscheduler:dolphinscheduler-master
Vulnerable Version: >=0 <3.1.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00741 pctl0.72071

Details

Apache DolphinScheduler: Arbitrary js execute as root for authenticated users Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue.

Metadata

Created: 2023-12-30T18:30:37Z
Modified: 2025-02-13T19:30:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-v7hg-77v9-2445/GHSA-v7hg-77v9-2445.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-v7hg-77v9-2445
Finding: F184
Auto approve: 1