Apache DolphinScheduler sensitive information disclosure
High severity
GitHub Reviewed
Published
Nov 24, 2023
to the GitHub Advisory Database
•
Updated Nov 21, 2024
Description
Published by the National Vulnerability Database
Nov 24, 2023
Published to the GitHub Advisory Database
Nov 24, 2023
Reviewed
Nov 27, 2023
Last updated
Nov 21, 2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.
The information exposed to unauthorized actors may include sensitive data such as database credentials.
Users who can't upgrade to the fixed version can also set environment variable
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus
to workaround this, or add the following section in theapplication.yaml
fileThis issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
References