Severity: Important Vendor: The Apache Software Foundation
Versions Affected: DolphinScheduler 1.2.0 1.2.1 Description: it's related with mysql connectorj remote code execution vulnerability when choosing mysql as database, the detail info please refer: https://securityonline.info/mysql-connectorj-remote-code-execution-vulnerability/ and we have fixed in PR ( https://github.com/apache/incubator-dolphinscheduler/pull/2728) Mitigation: 1.2.0 and 1.2.1 users should upgrade to >=1.3.1 Example: An Attacker can execute code remotely in the DolphinScheduler server through jdbc connect parameters input {"detectCustomCollations":true,"autoDeserialize":true} Credit: This issue was discovered by WuXiong of QI’ANXIN YunYing Lab. Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai lidong...@apache.org ---------------