Apache dolphinscheduler sensitive information disclosure
CVE-2023-48796

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache DolphinScheduler
Vendor: CVE Published:; 24 November 2023

Summary

A vulnerability in Apache DolphinScheduler allows unauthorized actors to access sensitive information, including database credentials. This issue affects versions from 3.0.0 to 3.0.1. Users are advised to upgrade to version 3.0.2 to mitigate this exposure. For those unable to upgrade, a temporary workaround involves configuring the environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus, or adapting the application.yaml settings to restrict endpoint exposure.

Affected Version(s)

Apache DolphinScheduler 3.0.0 < 3.0.2

References

https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/11/24/1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 24, 2023
Vulnerability Reserved
Nov 20, 2023