Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-48796

Published: Nov 24, 2023 | Modified: Dec 01, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-48796
CWEhttps://cwe.mitre.org/data/definitions/.html

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

The information exposed to unauthorized actors may include sensitive data such as database credentials.

Users who cant upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file

1
2
3
4
5

management:
  endpoints:
    web:
      exposure:
        include: health,metrics,prometheus

This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Affected Software

Name Vendor Start Version End Version
Dolphinscheduler Apache 3.0.0 (including) 3.0.2 (excluding)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use