Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management:   endpoints:     web:       exposure:         include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Remediation

References

https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo

http://www.openwall.com/lists/oss-security/2023/11/24/1

Related Vulnerabilities

CVE-2023-39345 Vulnerability in npm package @strapi/strapi

CVE-2021-21631 Vulnerability in maven package org.jenkins-ci.plugins:cloud-stats

CVE-2014-3623 Vulnerability in maven package wss4j:wss4j

CVE-2021-39135 Vulnerability in npm package @npmcli/arborist

CVE-2023-25765 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Mitigation Vendor Advisory Third Party Advisory NVD-CWE-noinfo