Apache DolphinScheduler exposed Py4j gateway

[hayageek]

For the issue: google/tsunami-security-scanner-plugins#531

[robert-doyensec]

Hi @hayageek , can you modify the README to also provide instructions for a secure version (non-default credentials)?

[hayageek]

Hi @robert-doyensec , I have added the instructions for a secure version

[robert-doyensec]

Hi @hayageek , is there any reason that the testbed uses version 3.1.5, which seems to be from 2023? I tried to test on 3.4.0 to see if the plugin would still work and it fails to authenticate against the Java Gateway. Just trying to see if this could be updated to work against a newer version.

[hayageek]

Hi @robert-doyensec , I have tested all the versions. This issue does not affect 3.4.0+, where the Py4J gateway is disabled by default.

Affected Versions

Version	Release	Py4j Gateway Exploitable
3.1.5	~4 years ago	Yes
3.1.9	~2 years ago	Yes
3.2.1	~2 years ago	Yes
3.2.2	>1 year ago	Yes
3.3.0-alpha	11 months ago	Yes
3.3.1	6 months ago	Yes
3.3.2	4 months ago	Yes
3.4.0	1 month ago	No (gateway disabled by default)

[robert-doyensec]

For the release column can you put the year/month or just note that these dates are relative to February 2026?

[hayageek]

Hi @robert-doyensec , I retrieved the release dates from GitHub and added them.