Apache DolphinScheduler 3.0.0-3.0.1 Sensitive Data Exposed via Mgmt Endpoints
CVE-2023-48796 Published on November 24, 2023
Apache dolphinscheduler sensitive information disclosure
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.
The information exposed to unauthorized actors may include sensitive data such as database credentials.
Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file
```
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
```
This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-48796 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-48796
Want to know whenever a new CVE is published for Apache DolphinScheduler? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache DolphinScheduler:- Version 3.0.0 and below 3.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.