CVE-2024-23320 - Improper Input Validation Vulnerability in Apache DolphinScheduler Leads to Unsanboxed JavaScript Execution on Server

Apache DolphinScheduler is a distributed big data visual workflow scheduler system, dedicated to solving the complex dependencies in data processing and making the scheduler system out of the box for users. However, recently, a vulnerability was reported in Apache DolphinScheduler that could lead to arbitrary, unsandboxed JavaScript execution on the server. This vulnerability has been assigned the CVE-ID CVE-2024-23320 by the Common Vulnerabilities and Exposures (CVE) project.

This issue is a legacy of CVE-2023-49299, where the vulnerabilities were not completely fixed, and another patch was required to fix it entirely. The vulnerability in Apache DolphinScheduler affects all versions up to and including version 3.2.1. Users are strongly recommended to upgrade to version 3.2.1 or newer to fix the issue and secure their installations.

Details of the Vulnerability

An authenticated user in Apache DolphinScheduler could exploit this vulnerability by providing malicious JavaScript code as input. The server improperly validates this input and executes the arbitrary, unsandboxed JavaScript code on the server. The exploit details are mentioned below.

Exploit Details

An attacker can submit a specially crafted JSON payload containing JavaScript code in any user-input field that the server processes. The attacker can use the eval() function to execute the JavaScript code on the server.

{
  "UserData": "${eval('malicious_code_here')}"
}

Where, malicious_code_here should be replaced with the JavaScript code the attacker wants to execute on the server.

Original References

- Official Apache DolphinScheduler GitHub Repository: https://github.com/apache/dolphinscheduler
- Apache DolphinScheduler 3.2.1 Release Notes: https://github.com/apache/dolphinscheduler/releases/tag/3.2.1

Recommendations

To mitigate the risk from this vulnerability and to secure your installations of Apache DolphinScheduler, users should:

Upgrade to the latest version (3.2.1) as soon as possible, as this version fixes the issue.

2. Monitor and analyze logs for suspicious activity and review user inputs regularly to identify malicious code infiltration attempts.
3. If possible, configure a Web Application Firewall (WAF) to block potentially malicious payloads from entering the system.

Conclusion

The improper input validation vulnerability in Apache DolphinScheduler poses a severe security risk, and users should take immediate action to patch their systems by upgrading to version 3.2.1. Security is not something to be compromised, and addressing vulnerabilities is a crucial part of maintaining and developing a safe digital environment.

Timeline

Published on: 02/23/2024 17:15:08 UTC
Last modified on: 08/01/2024 13:47:17 UTC