CVE-2024-29831

HIGH

Apache DolphinScheduler - RCE

Title source: llm

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

References (2)

[Vendor Advisory] https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/08/09/6

Scores

CVSS v3 8.8

EPSS 0.0034

EPSS Percentile 56.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-20

Status published

Affected Products (2)

apache/dolphinscheduler < 3.2.2

org.apache.dolphinscheduler/dolphinscheduler < 3.2.2Maven

Timeline

Published Aug 12, 2024

Tracked Since Feb 18, 2026