We found results for “”
CVE-2023-48796
Good to know:
Date: November 24, 2023
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
Language: Java
Severity Score
Severity Score
Weakness Type (CWE)
Information Leak / Disclosure
CWE-200Insufficient Information
NVD-CWE-noinfoTop Fix
Upgrade Version
Upgrade to version org.apache.dolphinscheduler:dolphinscheduler-alert-server:3.0.2, org.apache.dolphinscheduler:dolphinscheduler-api:3.0.2, org.apache.dolphinscheduler:dolphinscheduler-master:3.0.2, org.apache.dolphinscheduler:dolphinscheduler-standalone-server:3.0.2, org.apache.dolphinscheduler:dolphinscheduler-worker:3.0.2
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |