CVE-2022-45462
Published: 23 November 2022
Summary
CVE-2022-45462 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Dolphinscheduler. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2022-45462 is a command injection flaw (CWE-77) in alarm instance management that occurs when a specific command is configured. It carries a CVSS 3.1 score of 9.8 and affects the alarm-handling component in the impacted software.
An attacker who is already a logged-in user can supply a crafted command through the network-accessible management interface. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected system.
Public advisories published alongside the CVE recommend upgrading to version 2.0.6 or later to eliminate the injection vector; the referenced Apache and OpenWall disclosures contain the same remediation guidance.
The associated EPSS score has remained flat at 0.2126 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7456
Vulnerability details
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.