September 30, 2020

CVE-2020-11974, CVE-2020-13922: Apache DolphinScheduler Critical Vulnerabilities Alert

1 min read

On September 10, the Apache Software Foundation issued a security bulletin to fix the Apache DolphinScheduler permission override vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974).

CVE-2020 -11974 is related to the mysql connectorj remote code execution vulnerability. When mysql is selected as the database, the attacker can enter {“detectCustomCollations”:true, “autoDeserialize”:true} through the jdbc connect parameter to execute code remotely on the DolphinScheduler server.

CVE-2020-13922 causes ordinary users to overwrite the passwords of other users in the DolphinScheduler system through the api interface: api interface /dolphinscheduler/users/update.

[CVE-2020-13922] Apache DolphinScheduler (incubating) Permission vulnerability

Affected version

  • Apache DolphinScheduler = 1.2.0、1.2.1、1.3.1

Unaffected version

  • Apache DolphinScheduler >= 1.3.2

[CVE-2020-11974] Apache DolphinScheduler (incubating) Remote Code execution vulnerability

Affected version

  • Apache DolphinScheduler = 1.2.0  1.2.1

Unaffected version

  • Apache DolphinScheduler >= 1.3.1

Solution

At present, Apache has fixed this vulnerability in the latest version, please upgrade to version 1.3.2 as soon as possible.