CVE-2023-48796

Опубликовано: 24 нояб. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

The information exposed to unauthorized actors may include sensitive data such as database credentials.

Users who can't upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file

management: endpoints: web: exposure: include: health,metrics,prometheus

This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2023/11/24/1
Mailing List
Mitigation
Third Party Advisory
https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo
Mailing List
Mitigation
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/11/24/1
Mailing List
Mitigation
Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/11/28/1
https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo
Mailing List
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.0.2 (исключая)

EPSS

Процентиль: 67%

0.00534

Низкий

7.5 High

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo

Связанные уязвимости

GHSA-4vvc-r4p4-qgrr