CVE-2024-43166

Critical

Published: 03 September 2025

Published

03 September 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43166 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Apache Dolphinscheduler. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely remediation of the incorrect default permissions flaw through vendor patching to version 3.3.1.

CM-6 Configuration Settings good match

prevent

Ensures secure baseline configuration settings for Apache DolphinScheduler, including correction of overly permissive default access controls to prevent unauthorized high-level access.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved access authorizations, directly countering the vulnerability's improper default permissions that allow remote unauthenticated attackers high-level access to sensitive data and functions.

NVD Description

Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

Deeper analysisAI

CVE-2024-43166 is an Incorrect Default Permissions vulnerability (CWE-276) in Apache DolphinScheduler, affecting versions prior to 3.2.2. This flaw stems from improper configuration of default access controls, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-level access, enabling the attacker to read sensitive data, modify configurations or workflows, and disrupt service operations within the DolphinScheduler instance.

Apache advisories recommend upgrading to version 3.3.1, which resolves the issue by correcting the default permissions. Additional details are available in the official Apache announcement at https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2025/09/03/2.

Details

CWE(s): CWE-276

Affected Products

apache

dolphinscheduler

≤ 3.2.2

CVEs Like This One

CVE-2025-62188Same product: Apache Dolphinscheduler

CVE-2026-23902Same product: Apache Dolphinscheduler

CVE-2024-55532Same vendor: Apache

CVE-2025-66524Same vendor: Apache

CVE-2026-24308Same vendor: Apache

CVE-2026-30911Same vendor: Apache

CVE-2026-41602Same vendor: Apache

CVE-2026-40010Same vendor: Apache

CVE-2026-39816Same vendor: Apache

CVE-2026-31908Same vendor: Apache

References

https://lists.apache.org/thread/8zd69zkkx55qp365xp4tml1xh9og5lhk
Mailing List · security@apache.org
http://www.openwall.com/lists/oss-security/2025/09/03/2
af854a3a-2127-422b-91ae-364da2661108