search

apache / dolphinscheduler

Apache DolphinScheduler is the modern data orchestration platform. Agile to create high performance workflow with low-code
https://dolphinscheduler.apache.org/
Apache License 2.0
12.93k stars 4.64k forks source link

[Improvement]Security Vulnerability in GitPython Dependency (CVE-2024-22190) #16742

Open Joegardner20 opened 1 month ago

Joegardner20 commented 1 month ago

Search before asking

What happened

Issue Description: During the setup of the DolphinScheduler project, I encountered a security vulnerability in the GitPython dependency listed in dolphinscheduler/tools/release/requirements.txt. The current version constraint, GitPython~=3.1, includes versions of GitPython that are affected by CVE-2024-22190.

Vulnerable Version: • GitPython: Versions < 3.1.41 are affected by this vulnerability.

Suggested Resolution: To mitigate this issue, please update the version of GitPython to 3.1.41 or later in the requirements.txt file.

What you expected to happen

fix this vulnerability

How to reproduce

Install the current version of DolphinScheduler following the standard setup guide. Ensure that the GitPython dependency is installed according to the version constraint specified in dolphinscheduler/tools/release/requirements.txt (i.e., GitPython~=3.1). This setup introduces the CVE-2024-22190 vulnerability, as it allows installation of GitPython versions below 3.1.41, which are affected by this security issue.

Anything else

No response

Version

3.2.x

Are you willing to submit PR?

Code of Conduct

github-actions[bot] commented 1 day ago

This issue has been automatically marked as stale because it has not had recent activity for 30 days. It will be closed in next 7 days if no further activity occurs.