Xuxiang

**Name of the Vulnerable Software and Affected Versions** Apache DolphinScheduler versions prior to 1.3.2 **Description** The issue allows an ordinary user under any tenant to override another user's password through the API interface. **Recommendations** For versions prior to 1.3.2, update to version 1.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the API interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 1.10.10 and below **Description** The issue is related to a command injection vulnerability in Apache Airflow, which can be exploited by a remote attacker to execute arbitrary commands with superuser privileges. This vulnerability is associated with the lack of neutralization of special elements used in the operating system command. The vulnerability was discovered in one of the example DAGs shipped with Airflow and can be exploited by any authenticated user to run arbitrary commands as the user running the Airflow worker or scheduler. **Recommendations** For Apache Airflow versions 1.10.10 and below, consider disabling the example DAGs by setting `load examples=False` in the config to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.