CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as root for authenticated users

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Classification

CVE ID: CVE-2024-23320

Affected Products

Vendor: Apache Software Foundation

Product: Apache DolphinScheduler

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/apache/dolphinscheduler/pull/15487
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm
https://lists.apache.org/thread/25qhfvlksozzp6j9y8ozznvjdjp3lxqq
https://lists.apache.org/thread/p7rwzdgrztdfps8x1bwx646f1mn0x6cp
http://www.openwall.com/lists/oss-security/2024/02/23/3

Timeline

2025-02-14 00:31:37 UTC
CVE

Apache DolphinScheduler: Arbitrary js execution as root for authenticated users