Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
DolphinScheduler  1.2.0  1.2.1


Description:

it's related with mysql connectorj remote code execution vulnerability when
choosing mysql as database, the detail info please refer:
https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/
and we have fixed in PR (
https://github.com/apache/incubator-dolphinscheduler/pull/2728)


Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1


Example: An Attacker can execute code remotely in the DolphinScheduler
server through jdbc connect parameters input
{"detectCustomCollations":true,"autoDeserialize":true}

Credit:  This issue was discovered by WuXiong of QI’ANXIN YunYing Lab.



Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai
lidong...@apache.org
---------------

Reply via email to