High severityNVD Advisory· Published Nov 24, 2023· Updated Nov 28, 2025
Apache dolphinscheduler sensitive information disclosure
CVE-2023-48796
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.
The information exposed to unauthorized actors may include sensitive data such as database credentials.
Users who can't upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 3.0.0, < 3.0.2 | 3.0.2 |
apache-dolphinschedulerPyPI | >= 3.0.0, < 3.0.2 | 3.0.2 |
Affected products
3- ghsa-coords2 versions
>= 3.0.0, < 3.0.2+ 1 more
- (no CPE)range: >= 3.0.0, < 3.0.2
- (no CPE)range: >= 3.0.0, < 3.0.2
- Range: 3.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4vvc-r4p4-qgrrghsaADVISORY
- lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-48796ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/24/1ghsaWEB
- www.openwall.com/lists/oss-security/2025/11/28/1ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yamlghsaWEB
News mentions
0No linked articles in our index yet.