CVE-2020-11974, CVE-2020-13922: Apache DolphinScheduler Critical Vulnerabilities Alert
On September 10, the Apache Software Foundation issued a security bulletin to fix the Apache DolphinScheduler permission override vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974).
CVE-2020 -11974 is related to the mysql connectorj remote code execution vulnerability. When mysql is selected as the database, the attacker can enter {“detectCustomCollations”:true, “autoDeserialize”:true} through the jdbc connect parameter to execute code remotely on the DolphinScheduler server.
CVE-2020-13922 causes ordinary users to overwrite the passwords of other users in the DolphinScheduler system through the api interface: api interface /dolphinscheduler/users/update.
[CVE-2020-13922] Apache DolphinScheduler (incubating) Permission vulnerability
Affected version
- Apache DolphinScheduler = 1.2.0、1.2.1、1.3.1
Unaffected version
- Apache DolphinScheduler >= 1.3.2
[CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability
Affected version
- Apache DolphinScheduler = 1.2.0 1.2.1
Unaffected version
- Apache DolphinScheduler >= 1.3.1
Solution
At present, Apache has fixed this vulnerability in the latest version, please upgrade to version 1.3.2 as soon as possible.
