Cyber Resilience

CVE-2022-45462

CriticalRCE

Published: 23 November 2022

Published
23 November 2022
Modified
25 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2126 95.8th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45462 is a critical-severity Command Injection (CWE-77) vulnerability in Apache Dolphinscheduler. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-45462 is a command injection flaw (CWE-77) in alarm instance management that occurs when a specific command is configured. It carries a CVSS 3.1 score of 9.8 and affects the alarm-handling component in the impacted software.

An attacker who is already a logged-in user can supply a crafted command through the network-accessible management interface. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected system.

Public advisories published alongside the CVE recommend upgrading to version 2.0.6 or later to eliminate the injection vector; the referenced Apache and OpenWall disclosures contain the same remediation guidance.

The associated EPSS score has remained flat at 0.2126 with no material increase after disclosure.

EU & UK References

Vulnerability details

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
dolphinscheduler
≤ 2.0.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References