Description
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r35d6acf021486a390a7ea09e6650c2fe19e72522bd484791d606a6e6%40%3Cdev.dolphinscheduler.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/01/3
Scores
CVSS v3
8.8
EPSS
0.0116
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-264
CWE-89
Status
published
Products (2)
apache/dolphinscheduler
< 1.3.6
org.apache.dolphinscheduler/dolphinscheduler-server
0 - 1.3.6Maven
Published
Nov 01, 2021
Tracked Since
Feb 18, 2026