CVE-2023-48796

2023-11-2408:15:20

CWE-200

[email protected]

web.nvd.nist.gov

cve

2023

48796

apache dolphinscheduler

sensitive information

unauthorized actor

vulnerability

database credentials

upgrade

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

23.3%

JSON

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

The information exposed to unauthorized actors may include sensitive data such as database credentials.

Users who can’t upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file

management:
  endpoints:
    web:
      exposure:
        include: health,metrics,prometheus

This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Affected configurations

Vulners

NVD

Node

apachedolphinschedulerRange≤3.0.2

CPENameOperatorVersion
apache:dolphinschedulerapache dolphinschedulerlt3.0.2

CPE	Name	Operator	Version
apache:dolphinscheduler	apache dolphinscheduler	lt	3.0.2

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache DolphinScheduler",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.0.2",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      }
    ]
  }
]