| Description: | | Apache DolphinScheduler is a distributed workflow orchestration platform widely used for data pipeline automation. CVE-2020-13922 arises from unsafe deserialization of user-supplied data within the data-source connection test function. An attacker able to reach the /dolphinscheduler/datasources/connect endpoint can embed a malicious serialized Java object that contains attacker-controlled class names and runtime parameters. When the server reconstructs the object, it instantiates arbitrary classes available on the application classpath, leading to remote code execution in the context of the DolphinScheduler process. Typical exploitation chains leverage gadgets already present in common dependency libraries (e.g., commons-collections, groovy, or JDBC drivers) to invoke Runtime.exec, load additional binaries, or manipulate the JVM security manager. Successful compromise grants the adversary full control over the workflow engine, allowing modification or deletion of production data pipelines, lateral movement to connected databases, credential harvesting from job configurations, and establishment of persistent backdoors inside critical data infrastructure. Because the vulnerability is pre-authentication and the product is often deployed with privileged OS or cloud accounts, the impact frequently extends beyond the single cluster to the entire data lake or analytics environment. |