Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management:    endpoints:      web:         exposure:           include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796

N/A

信息暴露

Apache DolphinScheduler 安全漏洞

Apache DolphinScheduler是美国阿帕奇（Apache）基金会的一个现代数据编排平台。 Apache DolphinScheduler 3.1.x版本存在安全漏洞，该漏洞源于敏感信息暴露，可能导致未经授权的访问。

N/A

N/A