Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache DolphinScheduler<3.2.1 任意代码执行漏洞 #390

Open
y1ong opened this issue Feb 26, 2024 · 0 comments
Open

Apache DolphinScheduler<3.2.1 任意代码执行漏洞 #390

y1ong opened this issue Feb 26, 2024 · 0 comments
Labels
vuln

Comments

@y1ong
Copy link
Owner

y1ong commented Feb 26, 2024

  • 漏洞编号: CVE-2024-23320
  • 危害定级: 严重
  • 漏洞标签: 发布预警 公开漏洞
  • 披露日期: 2024-02-24
  • 信息来源: https://www.oscs1024.com/cm
  • 推送原因: 标签更新: [公开漏洞] => [发布预警 公开漏洞]

漏洞描述

Apache Dolphinscheduler 是开源的分布式任务调度系统。
受影响版本中,由于 SwitchTaskUtils#generateContentWithTaskParams 方法未对用户可控的任务参数有效过滤,攻击者可构造包含模版字符串(如:${cmd})或Unicode编码的恶意参数创建数据处理任务,当程序执行时会在服务器上执行任意可逃逸沙箱的 JavaScript 代码。

参考链接

  1. https://www.oscs1024.com/hd/MPS-t2ir-al41
  2. https://nvd.nist.gov/vuln/detail/CVE-2024-23320
  3. apache/dolphinscheduler@ef9ed3d
  4. GHSA-rc6h-qwj9-2c53
@y1ong y1ong added the vuln label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vuln
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@y1ong