PT-2021-9678 · Apache · Apache Dolphinscheduler

Xuxiang

Published

2021-01-11

Updated

2022-02-09

CVE-2020-13922

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache DolphinScheduler versions prior to 1.3.2

Description The issue allows an ordinary user under any tenant to override another user's password through the API interface.

Recommendations For versions prior to 1.3.2, update to version 1.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the API interface to minimize the risk of exploitation.

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-276

Related Identifiers

CVE-2020-13922

GHSA-QHH5-9738-G9MX

PYSEC-2021-876

Affected Products

Apache Dolphinscheduler

PT-2021-9678 · Apache · Apache Dolphinscheduler

CVE-2020-13922

Weakness Enumeration

Related Identifiers

Affected Products

References · 13