=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN583
_____________________________________________________________________

DATE                : 03/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache DolphinScheduler versions
                                     prior to 1.3.6.

=====================================================================
mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/<c9328d11-5671-3914-7a69-c79aca2d4686@apache.org>
_____________________________________________________________________

CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc
connector parameters deserialize remote code execution


Severity: low

Description:

In Apache DolphinScheduler before 1.3.6 versions, authorized users can
use SQL injection in the data source center. (Only applicable to MySQL
data source with internal login account password)


Credit:

This issue was discovered by Jinchen Sheng of Ant FG Security Lab

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================