PIP: Apache DolphinScheduler Default Credentials Tester with RCE #531
Assignees
Labels
Contributor queue
When a contributor has already one issue/PR in review, we put the following ones on hold with this.
Comments
hayageek
changed the title
|
Hi @hayageek, Let's wait on your 2 AI-PRP submissions before we take a decision on this one. Cheers, |
tooryx
added
the
Contributor queue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team,
I would like to develop a plugin for Apache DolphinScheduler weak credentials Tester. for , Apache DolphinScheduler an open-source distributed workflow scheduler designed to manage complex data and task workflows across various systems efficiently.
The platform uses different credentials for its UI and Java Gateway API(based on https://github.com/py4j). The Java Gateway API, in particular, comes with a default authentication token.
For information on setting up DolphinScheduler using Docker, refer to the official documentation. The Docker image used is apache/dolphinscheduler-standalone-server:3.1.5.
According to the configuration guide, if DolphinScheduler is deployed with the Docker image (apache/dolphinscheduler-standalone-server), it uses the default auth token:
Note that if the Java Gateway is exposed, it is possible for anyone to perform tasks (e.g., Shell, Python), which could lead to remote code execution (RCE).
The text was updated successfully, but these errors were encountered: