Impact
A missing authorization check in the Apache DolphinScheduler DataSource API allows an attacker to obtain arbitrary data source metadata. This omission is classified as a CWE‑863 vulnerability and can expose sensitive connection details, potentially facilitating further attacks. The impact is primarily the compromise of confidentiality for the underlying data sources.
Affected Systems
Apache Software Foundation’s Apache DolphinScheduler versions released before 3.4.2 are vulnerable. The issue affects all installations running those earlier releases.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity, and the EPSS score of <1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via the exposed DataSource API endpoint, which does not enforce proper authorization, enabling any user who can reach the API to retrieve metadata. Given the potential for sensitive information exposure, the risk to affected organizations is moderate but warrants prompt remediation.
OpenCVE Enrichment
Github GHSA