oss-security - CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as root for authenticated users

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Fri, 23 Feb 2024 16:33:08 +0000
From: Jiajie Zhong <zhongjiajie@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as
 root for authenticated users 

Severity: important

Affected versions:

- Apache DolphinScheduler before 3.2.1

Description:

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Credit:

xuesong.zhou (finder)
Nbxiglk (finder)
Huang Atao (finder)

References:

https://github.com/apache/dolphinscheduler/pull/15487
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
https://dolphinscheduler.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-23320

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.