CVE-2022-34662 - Vulnerability Details - OpenCVE

Description

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

Published: 2022-11-01

Score: 6.5 Medium

EPSS: 1.0% Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache DolphinScheduler

affected

Version	Status	Constraints
`Apache DolphinScheduler`	affected	≤ 3.0.0-beta-1

Configuration 1 [-]

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7330	Apache DolphinScheduler vulnerable to Path Traversal
Github GHSA	GHSA-fp35-xrrr-3gph	Apache DolphinScheduler vulnerable to Path Traversal

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01049.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/11/01/13
https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8

History

Tue, 06 May 2025 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Apache Dolphinscheduler

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-11-01T00:00:00.000Z

Updated: 2025-05-06T03:17:02.317Z

Reserved: 2022-06-27T00:00:00.000Z

Link: CVE-2022-34662

Vulnrichment

Updated: 2024-08-03T09:15:15.715Z

NVD

Status : Modified

Published: 2022-11-01T16:15:13.447

Modified: 2025-05-06T04:16:07.277

Link: CVE-2022-34662

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-34662", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2025-05-06T03:17:02.317Z", "dateReserved": "2022-06-27T00:00:00.000Z", "datePublished": "2022-11-01T00:00:00.000Z"}, "containers": {"cna": {"title": "Apache DolphinScheduler prior to 3.0.0 allows path traversal", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-11-01T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher"}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache DolphinScheduler", "versions": [{"version": "Apache DolphinScheduler", "status": "affected", "lessThanOrEqual": "3.0.0-beta-1", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"}, {"name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"}], "credits": [{"lang": "en", "value": "This issue was discovered by Jigang Dong of M1QLin Security Team"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:15:15.715Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T03:16:38.363553Z", "id": "CVE-2022-34662", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T03:17:02.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/01/13", "name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:15:15.715Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-34662", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-06T03:16:38.363553Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T03:16:58.615Z"}}], "cna": {"title": "Apache DolphinScheduler prior to 3.0.0 allows path traversal", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "This issue was discovered by Jigang Dong of M1QLin Security Team"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache DolphinScheduler", "versions": [{"status": "affected", "version": "Apache DolphinScheduler", "versionType": "custom", "lessThanOrEqual": "3.0.0-beta-1"}]}], "references": [{"url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/01/13", "name": "[oss-security] 20221101 CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-11-01T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-34662", "state": "PUBLISHED", "dateUpdated": "2025-05-06T03:17:02.317Z", "dateReserved": "2022-06-27T00:00:00.000Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2022-11-01T00:00:00.000Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE0E5742-FC13-4EBF-8F27-F8E7C10757AB", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher"}, {"lang": "es", "value": "Cuando los usuarios agregan recursos al centro de recursos con una ruta de relaci\u00f3n, se producir\u00e1n problemas de path traversal y solo para los usuarios que hayan iniciado sesi\u00f3n. Podr\u00edas actualizar a la versi\u00f3n 3.0.0 o superior."}], "id": "CVE-2022-34662", "lastModified": "2025-05-06T04:16:07.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-11-01T16:15:13.447", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2022/11/01/13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@apache.org", "type": "Secondary"}]}