CVE-2023-48796

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/11/24/1	Mailing List Mitigation Third Party Advisory
https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo	Mailing List Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*

History

01 Dec 2023, 20:14

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo -~~	() https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo - Mailing List, Mitigation, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2023/11/24/1 -~~	() http://www.openwall.com/lists/oss-security/2023/11/24/1 - Mailing List, Mitigation, Third Party Advisory
First Time		Apache dolphinscheduler Apache
CWE	~~CWE-200~~	NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:apache:dolphinscheduler::::::::

24 Nov 2023, 15:24

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2023/11/24/1 -

24 Nov 2023, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-24 08:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-48796

Mitre link : CVE-2023-48796

CVE.ORG link : CVE-2023-48796

JSON object : View

Products Affected

apache

dolphinscheduler

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-48796", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-11-24T08:15:20.810", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/11/24/1", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.\n\nThe information exposed to unauthorized actors may include sensitive data such as database credentials.\n\nUsers who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file\n\n```\nmanagement:\n\u00a0 endpoints:\n\u00a0 \u00a0 web:\n\u00a0 \u00a0 \u00a0 exposure:\n\u00a0 \u00a0 \u00a0 \u00a0 include: health,metrics,prometheus\n```\n\nThis issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.\n\nUsers are recommended to upgrade to version 3.0.2, which fixes the issue.\n\n"}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de actor no autorizado en Apache DolphinScheduler. La informaci\u00f3n expuesta a actores no autorizados puede incluir datos confidenciales, como credenciales de bases de datos. Los usuarios que no pueden actualizar a la versi\u00f3n fija tambi\u00e9n pueden configurar la variable de entorno `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` para solucionar este problema, o agregar la siguiente secci\u00f3n en el archivo ``application.yaml` ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` Este problema afecta a Apache DolphinScheduler: desde 3.0.0 antes de 3.0.2. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.0.2, que soluciona el problema."}], "lastModified": "2023-12-01T20:14:35.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F94E80ED-DC7C-4C16-AF93-501D35F0E070", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}