PT-2020-12961 · Apache+1 · Apache Zeppelin+2

Published

2020-12-18

Updated

2024-05-01

CVE-2020-11974

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions DolphinScheduler versions 1.2.0 through 1.2.1 Apache Zeppelin versions prior to 0.11.1

Description A remote code execution issue exists when choosing MySQL as the database, potentially allowing an attacker to inject sensitive configuration or malicious code via the MySQL connector/j or JDBC driver.

Recommendations For DolphinScheduler versions 1.2.0 and 1.2.1, consider disabling the MySQL connector/j until a patch is available. For Apache Zeppelin versions prior to 0.11.1, upgrade to version 0.11.1 to fix the issue.

Fix

Deserialization of Untrusted Data

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-94

Related Identifiers

CVE-2020-11974

GHSA-66J8-C83M-GJ5F

GHSA-JPJ4-5XWP-CV23

Affected Products

Apache Zeppelin

Dolphinscheduler

Mysql Server

PT-2020-12961 · Apache+1 · Apache Zeppelin+2

CVE-2020-11974

Weakness Enumeration

Related Identifiers

Affected Products

References · 29