CVE-2023-49299 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2023-49299?

CVE-2023-49299 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users in Apache DolphinScheduler to execute arbitrary JavaScript code on the server without sandbox restrictions. This affects all Apache DolphinScheduler installations running versions before 3.1.9. The issue stems from improper input validation in the application.

📋 TL;DR

This vulnerability allows authenticated users in Apache DolphinScheduler to execute arbitrary JavaScript code on the server without sandbox restrictions. This affects all Apache DolphinScheduler installations running versions before 3.1.9. The issue stems from improper input validation in the application.

💻 Affected Systems

Products:

Apache DolphinScheduler

Versions: All versions before 3.1.9

Operating Systems: All platforms running DolphinScheduler

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Authentication is required but standard user accounts can exploit this.

📦 What is this software?

Dolphinscheduler by Apache

View all CVEs affecting Dolphinscheduler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement within the network, and potential ransomware deployment.

🟠

Likely Case

Unauthorized data access, privilege escalation, and installation of backdoors or cryptocurrency miners.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who can obtain or compromise credentials.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or attackers who breach the network perimeter.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but the vulnerability is straightforward to exploit once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.9

Vendor Advisory: https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm

Restart Required: Yes

Instructions:

1. Backup your current DolphinScheduler configuration and data. 2. Download version 3.1.9 from the official Apache repository. 3. Stop the DolphinScheduler service. 4. Replace the installation with version 3.1.9. 5. Restart the DolphinScheduler service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Restrict User Access

all

Limit DolphinScheduler access to only essential personnel and implement strong authentication controls.

Network Segmentation

all

Isolate DolphinScheduler instances from critical systems and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the DolphinScheduler interface
Enable detailed logging and monitoring for suspicious JavaScript execution attempts

🔍 How to Verify

Check if Vulnerable:

Check the DolphinScheduler version in the web interface or configuration files. If version is below 3.1.9, the system is vulnerable.

Check Version:

Check the version in the web interface or examine the application.properties file for version information.

Verify Fix Applied:

After upgrading, verify the version shows 3.1.9 or higher in the web interface or configuration.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Multiple failed authentication attempts followed by successful login
Unexpected process creation from DolphinScheduler

Network Indicators:

Unusual outbound connections from DolphinScheduler server
Traffic to known malicious domains

SIEM Query:

source="dolphinscheduler" AND (event="javascript_execution" OR event="code_injection")

📊 Metadata

CVE ID: CVE-2023-49299

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: December 30, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/02/23/3
https://github.com/apache/dolphinscheduler/pull/15228 Patch,Vendor Advisory
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/23/3
https://github.com/apache/dolphinscheduler/pull/15228 Patch,Vendor Advisory
https://lists.apache.org/thread/tnf99qoc6tlnwrny4t1zk6mfszgdsokm Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49299, you might also want to check these: