Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.
The information exposed to unauthorized actors may include sensitive data such as database credentials.
Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file
```
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
```
This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/11/24/1 | Mailing List Mitigation Third Party Advisory |
https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo | Mailing List Mitigation Vendor Advisory |
http://www.openwall.com/lists/oss-security/2023/11/24/1 | Mailing List Mitigation Third Party Advisory |
https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo | Mailing List Mitigation Vendor Advisory |
Configurations
History
21 Nov 2024, 08:32
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2023/11/24/1 - Mailing List, Mitigation, Third Party Advisory | |
References | () https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo - Mailing List, Mitigation, Vendor Advisory |
01 Dec 2023, 20:14
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2023/11/24/1 - Mailing List, Mitigation, Third Party Advisory | |
References | () https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo - Mailing List, Mitigation, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:* |
24 Nov 2023, 15:24
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-24 08:15
Updated : 2024-11-21 08:32
NVD link : CVE-2023-48796
Mitre link : CVE-2023-48796
CVE.ORG link : CVE-2023-48796
JSON object : View
Products Affected
apache
- dolphinscheduler
CWE