Vulnerability Details : CVE-2022-45875
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.
This attack can be performed only by authenticated users which can login to DS.
Vulnerability category: Input validation
Products affected by CVE-2022-45875
- cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:dolphinscheduler:3.1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-45875
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45875
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-45875
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@apache.org (Primary)
References for CVE-2022-45875
-
http://www.openwall.com/lists/oss-security/2023/11/22/2
oss-security - CVE-2022-45875: Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin
-
https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r
CVE-2022-45875: Apache DolphinScheduler prior to 3.0.2 have remote command execution Vulnerability in script alert plugin-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to