You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dolphinscheduler.apache.org by lidong dai <da...@gmail.com> on 2020/09/10 09:09:12 UTC
[CVE-2020-13922] Apache DolphinScheduler (incubating) Permission vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
DolphinScheduler 1.2.0 1.2.1 1.3.1
Description:
The vulnerability discovered is that
ordinary user under any tenant can override other user's password through
api interface /dolphinscheduler/users/update
Mitigation: 1.2.0 、1.2.1 and 1.3.1 users should upgrade to >=1.3.2
Example: An Attacker can get admin permission in the DolphinScheduler
System through api
interface:id=1&userName=admin&userPassword=Password1!&tenantId=1&email=sdluser%40sdluser.sdluser&phone=
Credit: This issue was discovered by xuxiang of DtDream security
Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai 代立冬
dailidong66@gmail.com
---------------