CVE-2023-49109 - Vulnerability Details - OpenCVE

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Dolphinscheduler

Configuration 1 [-]

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/02/20/4
https://github.com/apache/dolphinscheduler/pull/14991
https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8
https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5

History

Tue, 18 Mar 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache dolphinscheduler
CPEs		cpe:2.3:a:apache:dolphinscheduler::::::::
Vendors & Products		Apache Apache dolphinscheduler

Thu, 13 Feb 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description	Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.	Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

Mon, 26 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-02-20T09:58:56.779Z

Updated: 2025-02-13T17:18:34.198Z

Reserved: 2023-11-22T08:14:39.874Z

Link: CVE-2023-49109

Vulnrichment

Updated: 2024-08-02T21:46:29.198Z

NVD

Status : Analyzed

Published: 2024-02-20T10:15:07.927

Modified: 2025-03-18T17:37:00.060

Link: CVE-2023-49109

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49109", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-11-22T08:14:39.874Z", "datePublished": "2024-02-20T09:58:56.779Z", "dateUpdated": "2025-02-13T17:18:34.198Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache DolphinScheduler", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.1", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Y4tacker and 4ra1n from Y4secTeam"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.<br><br>This issue affects Apache DolphinScheduler: before 3.2.1. <br><br>We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."}], "value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-20T10:00:07.687Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/dolphinscheduler/pull/14991"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"}], "source": {"discovery": "EXTERNAL"}, "title": "Remote Code Execution in Apache Dolphinscheduler", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.198Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/apache/dolphinscheduler/pull/14991"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "dolphinscheduler", "cpes": ["cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.0.0", "status": "affected", "lessThan": "3.2.1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-02-20T15:21:40.896739Z", "id": "CVE-2023-49109", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T17:51:16.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/apache/dolphinscheduler/pull/14991", "tags": ["patch", "x_transferred"]}, {"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.198Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-49109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-20T15:21:40.896739Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "dolphinscheduler", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.2.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T17:49:58.417Z"}}], "cna": {"title": "Remote Code Execution in Apache Dolphinscheduler", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Y4tacker and 4ra1n from Y4secTeam"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache DolphinScheduler", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/dolphinscheduler/pull/14991", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. ", "supportingMedia": [{"type": "text/html", "value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.<br><br>This issue affects Apache DolphinScheduler: before 3.2.1. <br><br>We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-20T09:58:56.779Z"}}}, "cveMetadata": {"cveId": "CVE-2023-49109", "state": "PUBLISHED", "dateUpdated": "2024-08-26T17:51:16.718Z", "dateReserved": "2023-11-22T08:14:39.874Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-02-20T09:58:56.779Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "39833A23-5C26-4210-8BEE-54C3195A4A3C", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.0.0 ", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. "}, {"lang": "es", "value": "Exposici\u00f3n de la ejecuci\u00f3n remota de c\u00f3digo en Apache Dolphinscheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.1. Recomendamos a los usuarios que actualicen Apache DolphinScheduler a la versi\u00f3n 3.2.1, que soluciona el problema."}], "id": "CVE-2023-49109", "lastModified": "2025-03-18T17:37:00.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-20T10:15:07.927", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/dolphinscheduler/pull/14991"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/20/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/dolphinscheduler/pull/14991"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Secondary"}]}