CVE-2023-49109

Remote Code Execution in Apache Dolphinscheduler

CVSS 9.8 CRITICALEPSS 2.3%CWE-94

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 2.3%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

20 Feb 2024Published on NVD

19 Aug 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Apache Software Foundation · Apache DolphinScheduler

public PoCs found — 2

githubgithub.com/shoucheng3/apache__dolphinscheduler_CVE-2023-49109_3-2-0★ 0 githubgithub.com/shoucheng3/apache__dolphinscheduler_CVE-2023-49109_3_2_1_fixed★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/apache/dolphinscheduler/pull/14991 https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8 https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5 http://www.openwall.com/lists/oss-security/2024/02/20/4