6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-34662

GHSA ID

GHSA-fp35-xrrr-3gph

EPSS Score

0.33559%

CWE

CWE-22

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-34662

CVE-2022-34662: Apache DolphinScheduler vulnerable to Path Traversal

When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-34662

CVE-2022-34662:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-34662

GHSA ID

GHSA-fp35-xrrr-3gph

EPSS Score

0.33559%

CWE

CWE-22

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dolphinscheduler:dolphinscheduler	maven	< 3.0.0	3.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation when handling user-supplied 'relation path' parameters. In Java-based systems, path traversal vulnerabilities typically occur in functions that: 1. Receive user input via API endpoints (Controller layer) 2. Process file paths in service methods (Service layer) without proper canonicalization. The ResourceService.createResource is a high-confidence candidate as resource management core logic would reside here, while the ResourceController.uploadResource is medium confidence as it's the entry point but might delegate validation to service layers. Both would fail to properly sanitize paths using methods like getCanonicalPath() with base directory checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-34662: Apache DolphinScheduler vulnerable to Path Traversal

CVE-2022-34662:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

CVE-2022-34662: Apache DolphinScheduler vulnerable to Path Traversal

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI