CVE-2023-48796

CWE-200 — Information Exposure5 documents4 sources

Severity

7.5HIGH

EPSS

0.4%

top 38.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dolphinscheduler Apache Dolphinscheduler

Timeline

PublishedNov 24

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metri…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/dolphinscheduler3.0.0 — 3.0.2

▶PyPIapache-dolphinscheduler3.0.0 — 3.0.2

▶Mavenorg.apache.dolphinscheduler:dolphinscheduler3.0.0 — 3.0.2

▶CVEListV5apache_software_foundation/apache_dolphinscheduler3.1.0 — 3.2.0+1

🔴Vulnerability Details

OSV

CVE-2023-48796: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler↗2023-11-24

▶

OSV

Apache DolphinScheduler sensitive information disclosure↗2023-11-24

▶

CVEList

Apache dolphinscheduler sensitive information disclosure↗2023-11-24

▶

GHSA

Apache DolphinScheduler sensitive information disclosure↗2023-11-24

▶