CVE-2023-48796: Apache DolphinScheduler Vulnerability at Risk of Data Breach
Apache DolphinScheduler is a popular open-source workflow management platform that is widely used by enterprises to orchestrate and manage complex data processing pipelines. Recently, a critical vulnerability, CVE-2023-48796, was discovered in Apache DolphinScheduler that could allow unauthorized actors to access sensitive information, including database credentials. This vulnerability affects Apache DolphinScheduler versions 3.0.0 to 3.0.1.
Impact of the Vulnerability
The CVE-2023-48796 vulnerability is classified as “important” due to the potential impact it could have on organizations that rely on Apache DolphinScheduler. If exploited, this vulnerability could allow attackers to gain unauthorized access to sensitive information, such as database credentials, which could be used to launch further attacks or compromise sensitive data.
Mitigation Strategies
To mitigate the risk associated with this vulnerability, organizations should take immediate action to upgrade their Apache DolphinScheduler installations to version 3.0.2, which fixes the vulnerability. If upgrading is not immediately feasible, organizations can implement a workaround by setting the environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus, or by adding the following section to the application.yaml file:
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
By upgrading to the latest version or implementing the provided workaround, organizations can effectively mitigate the risk of unauthorized access to sensitive information.