Miggo Logo
Miggo Vulnerability Database
CVE-2022-26884

CVE-2022-26884: Apache DolphinScheduler vulnerable to Path Traversal

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-26884
GHSA ID
GHSA-vpgf-fgm8-gxr2
EPSS Score
0.47042%
CWE
CWE-22
Published
10/28/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.dolphinscheduler:dolphinschedulermaven< 2.0.62.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description indicates path traversal via the log server, which implies improper input sanitization in log file retrieval functions. The LoggerController.viewLog method is a core component handling log access in Apache DolphinScheduler. Path traversal vulnerabilities in similar systems often occur in log viewer endpoints that directly use user input to construct file paths without proper normalization. The patch in 2.0.6 would likely have added path validation/sanitization in this critical log handling component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us*rs **n r*** *ny *il*s *y lo* s*rv*r, *p**** *olp*inS****ul*r us*rs s*oul* up*r*** to v*rsion *.*.* or *i***r.

Reasoning

T** vuln*r**ility **s*ription in*i**t*s p*t* tr*v*rs*l vi* t** lo* s*rv*r, w*i** impli*s improp*r input s*nitiz*tion in lo* *il* r*tri*v*l *un*tions. T** `Lo***r*ontroll*r.vi*wLo*` m*t*o* is * *or* *ompon*nt **n*lin* lo* ****ss in *p**** *olp*inS****