You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@dolphinscheduler.apache.org by lidong dai <da...@gmail.com> on 2020/09/10 09:09:12 UTC

[CVE-2020-13922] Apache DolphinScheduler (incubating) Permission vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
DolphinScheduler  1.2.0  1.2.1 1.3.1

Description：
The vulnerability discovered is that
ordinary user under any tenant can override other user's password through
api interface /dolphinscheduler/users/update

Mitigation: 1.2.0 、1.2.1 and 1.3.1 users should upgrade to >=1.3.2

Example: An Attacker can get admin permission in the DolphinScheduler
System through api
interface：id=1&userName=admin&userPassword=Password1!&tenantId=1&email=sdluser%40sdluser.sdluser&phone=


Credit:  This issue was discovered by xuxiang of DtDream security

Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai 代立冬
dailidong66@gmail.com
---------------