Miggo Logo
Miggo Vulnerability Database
CVE-2021-27644

CVE-2021-27644: SQL injection in Apache DolphinScheduler

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-27644
GHSA ID
GHSA-93g4-3phc-g4xw
EPSS Score
0.88455%
CWE
CWE-89
Published
11/3/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.dolphinscheduler:dolphinscheduler-servermaven< 1.3.61.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient input validation when constructing MySQL JDBC connections. Key indicators:

  1. DataSourceService.buildParameter() processed untrusted inputs without validation (added checkParams() in patch)
  2. MySQLDataSource methods handled connection parameters with insecure string operations rather than allow-list validation
  3. Test cases show injection via 'other' parameters was possible
  4. CWE-89 mapping confirms SQL injection via crafted parameters These functions would appear in stack traces when processing malicious datasource configuration requests containing SQL injection payloads in connection parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** *olp*inS****ul*r ***or* *.*.* v*rsions, *ut*oriz** us*rs **n us* SQL inj**tion in t** **t* sour** **nt*r. (Only *ppli***l* to MySQL **t* sour** wit* int*rn*l lo*in ***ount p*sswor*)

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion w**n *onstru*tin* MySQL J*** *onn**tions. K*y in*i**tors: *. **t*Sour**S*rvi**.*uil*P*r*m*t*r() pro**ss** untrust** inputs wit*out v*li**tion (***** ****kP*r*ms() in p*t**) *. MySQL**t*Sour**