EUVD-2025-209369

| CVE-2025-62188 HIGH
2026-04-09 apache GHSA-3cjc-vhfm-ffp2
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 10:00 euvd
EUVD-2025-209369
Analysis Generated
Apr 09, 2026 - 10:00 vuln.today
CVE Published
Apr 09, 2026 - 09:27 nvd
HIGH 7.5

Tags

Apache Information Disclosure Apache Dolphinscheduler

Description

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management:    endpoints:      web:         exposure:           include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796

Analysis

Unauthenticated information disclosure in Apache DolphinScheduler 3.1.x exposes database credentials and sensitive configuration via unsecured management endpoints. Network-accessible attackers can retrieve authentication secrets without authentication (CVSS vector PR:N), directly compromising backend infrastructure. Affects all 3.1.* releases. No public exploit identified at time of analysis. Vendor remediation available in version 3.2.0.

Technical Context

CWE-200 exposure via default-enabled Spring Boot Actuator management endpoints lacking access controls. Unauthenticated HTTP requests to /actuator paths return environment properties containing database connection strings, credentials, and internal configuration. Root cause: overly permissive management.endpoints.web.exposure.include default configuration in 3.1.x branch.

Affected Products

Apache DolphinScheduler 3.1.0 through 3.1.x (all patch levels). Vendor: Apache Software Foundation. CPE: cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*. No other product lines impacted.

Remediation

Vendor-released patch: upgrade to Apache DolphinScheduler version 3.2.0 or later, which restricts management endpoint exposure by default. Official advisory: https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo. For environments unable to upgrade immediately, apply temporary mitigation by setting environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus or adding equivalent restriction to application.yaml management.endpoints.web.exposure.include configuration. Mitigation limits exposed endpoints to non-sensitive monitoring functions. Verify configuration change effectiveness by testing /actuator endpoint accessibility post-deployment. Prioritize upgrade over workaround for permanent resolution.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

EUVD-2025-209369 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy