dill21yu opened a new issue, #17739: URL: https://github.com/apache/dolphinscheduler/issues/17739
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar feature requirement. ### Description Part of #15940 **Vulnerability name**: Spring Boot routing/actuator bypass (CVE-2023-20873) **Category**: Unauthorized access / routing bypass (Actuator exposure risk) ## Description CVE-2023-20873 describes a routing/processing issue that, in Cloud Foundry deployments or when handling `/cloudfoundryapplication/**` style requests, may allow access to Actuator endpoints or bypass route restrictions, potentially exposing sensitive information. ## Recommended fix - Upgrade Spring Boot to a patched version (e.g. 2.5.15, 2.6.15, 2.7.11, 3.0.6 or later depending on the project’s Spring Boot major version). - Review actuator configuration and ensure endpoints are not publicly exposed; require authentication/authorization for sensitive endpoints. - For Cloud Foundry or proxy deployments, verify the routing configuration and path matching behavior. ## Risk / compatibility - Upgrading Spring Boot can cascade to many dependency upgrades; run comprehensive tests. - Verify that actuator endpoints and other management endpoints continue to behave as expected after upgrade. ## References - Spring Boot releases: https://github.com/spring-projects/spring-boot/releases - CVE: CVE-2023-20873 (add advisory link) - Parent tracking issue: #15940 ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
