CVE-2023-48796

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache DolphinScheduler versions 3.0.0 through 3.0.1

Description The issue concerns the exposure of sensitive information to unauthorized actors, potentially including database credentials. This exposure can occur in Apache DolphinScheduler, affecting the confidentiality of sensitive data.

Recommendations To resolve the issue, users are recommended to upgrade to version 3.0.2, which fixes the problem. For users who cannot upgrade to the fixed version, a temporary workaround is to set the environment variable MANAGEMENT ENDPOINTS WEB EXPOSURE INCLUDE=health,metrics,prometheus. Alternatively, users can add the following section to the application.yaml file:

management:
 endpoints:
  web:
   exposure:
    include: health,metrics,prometheus

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2023-48796

GHSA-3CJC-VHFM-FFP2

GHSA-4VVC-R4P4-QGRR

PYSEC-2023-268

Affected Products

Apache Dolphinscheduler

CVE-2023-48796

Weakness Enumeration

Related Identifiers

Affected Products

References · 19