PT-2023-30962 · Apache · Apache Dolphinscheduler

Zhenxu Ke

Publicado

2023-11-24

Atualizado

2026-04-09

CVE-2023-48796

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache DolphinScheduler versions 3.0.0 through 3.0.1

Description The issue concerns the exposure of sensitive information to unauthorized actors, potentially including database credentials. This exposure can occur in Apache DolphinScheduler, affecting the confidentiality of sensitive data.

Recommendations To resolve the issue, users are recommended to upgrade to version 3.0.2, which fixes the problem. For users who cannot upgrade to the fixed version, a temporary workaround is to set the environment variable MANAGEMENT ENDPOINTS WEB EXPOSURE INCLUDE=health,metrics,prometheus. Alternatively, users can add the following section to the application.yaml file:

management:
 endpoints:
  web:
   exposure:
    include: health,metrics,prometheus

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2023-48796

GHSA-3CJC-VHFM-FFP2

GHSA-4VVC-R4P4-QGRR

PYSEC-2023-268

Produtos afetados

Apache Dolphinscheduler

PT-2023-30962 · Apache · Apache Dolphinscheduler

CVE-2023-48796

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 20