Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2022-26885 CVE-2022-45462 |
CWE-ID | CWE-256 CWE-78 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
DolphinScheduler Other software / Other software solutions |
Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU69763
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26885
CWE-ID:
CWE-256 - Unprotected Storage of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to other users' credentials.
The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. A local user can obtain access to sensitive information when using tasks to read config files
MitigationInstall updates from vendor's website.
Vulnerable software versionsDolphinScheduler: 2.0.0 - 2.0.5
External linkshttp://lists.apache.org/thread/z7084r9cs2r26cszkkgjqpb5bhnxqssp
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU69762
Risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-45462
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within alarm instance management. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Install updates from vendor's website.
Vulnerable software versionsDolphinScheduler: 2.0.0 - 2.0.5
External linkshttp://lists.apache.org/thread/2f126y32bf1v3mvxkdgt2jr5j3l1t01w
http://www.openwall.com/lists/oss-security/2022/11/23/1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.