CVE-2023-48796: Apache DolphinScheduler Vulnerability Exposes Sensitive Data

Apache DolphinScheduler is a distributed and easy-to-expand visual workflow task scheduling open-source platform. It is widely used for enterprise-level scheduling tasks. However, a recently discovered vulnerability in Apache DolphinScheduler, identified as CVE-2023-48796, poses a significant security risk. This vulnerability allows unauthorized actors to gain access to sensitive information, including database credentials.

Vulnerability Details

CVE-2023-48796 is classified as an “important” severity vulnerability. It affects Apache DolphinScheduler versions 3.0.0 to 3.0.2. The vulnerability arises due to improper exposure of sensitive information, particularly database credentials. This allows unauthorized actors to intercept and exploit this sensitive data, potentially gaining unauthorized access to the underlying database and compromising the integrity and security of the system.

Impact

The exposure of sensitive information, including database credentials, can have severe consequences for organizations using Apache DolphinScheduler. Unauthorized access to the database could allow attackers to manipulate data, steal sensitive information, or even disrupt operations. This could lead to financial losses, reputational damage, and potential legal repercussions.

Mitigation

To address this vulnerability, Apache DolphinScheduler has released version 3.0.2, which fixes the issue. Users are strongly recommended to upgrade to this latest version as soon as possible. Alternatively, if upgrading is not immediately feasible, users can implement a workaround by setting the environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus. This will restrict the exposure of sensitive information. Additionally, users can add the following section to the application.yaml file: