6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34662

GHSA ID

GHSA-fp35-xrrr-3gph

EPSS Score

0.33559%

CWE

CWE-22

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-34662

CVE-2022-34662: Apache DolphinScheduler vulnerable to Path Traversal

When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34662

GHSA ID

GHSA-fp35-xrrr-3gph

EPSS Score

0.33559%

CWE

CWE-22

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dolphinscheduler:dolphinscheduler	maven	< 3.0.0	3.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation when handling user-supplied 'relation path' parameters. In Java-based systems, path traversal vulnerabilities typically occur in functions that: 1. Receive user input via API endpoints (Controller layer) 2. Process file paths in service methods (Service layer) without proper canonicalization. The ResourceService.createResource is a high-confidence candidate as resource management core logic would reside here, while the ResourceController.uploadResource is medium confidence as it's the entry point but might delegate validation to service layers. Both would fail to properly sanitize paths using methods like getCanonicalPath() with base directory checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n us*rs *** r*sour**s to t** r*sour** **nt*r wit* * r*l*tion p*t*, t*is vuln*r**ility will **us* p*t* tr*v*rs*l issu*s *or lo****-in us*rs. Us*rs s*oul* up*r*** to v*rsion *.*.* to *voi* t*is issu*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* v*li**tion w**n **n*lin* us*r-suppli** 'r*l*tion p*t*' p*r*m*t*rs. In J*v*-**s** syst*ms, p*t* tr*v*rs*l vuln*r**iliti*s typi**lly o**ur in *un*tions t**t: *. R***iv* us*r input vi* *PI *n*points (*ontroll*r

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-34662: Apache DolphinScheduler vulnerable to Path Traversal

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI