Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
DolphinScheduler  1.2.0  1.2.1 1.3.1

Description:
The vulnerability discovered is that
ordinary user under any tenant can override other user's password through
api interface /dolphinscheduler/users/update

Mitigation: 1.2.0 、1.2.1 and 1.3.1 users should upgrade to >=1.3.2

Example: An Attacker can get admin permission in the DolphinScheduler
System through api
interface:id=1&userName=admin&userPassword=Password1!&tenantId=1&email=sdluser%40sdluser.sdluser&phone=


Credit:  This issue was discovered by xuxiang of DtDream security

Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai 代立冬
dailidon...@gmail.com
---------------


Best Regards
---------------
DolphinScheduler(Incubator) PPMC
Lidong Dai 代立冬
dailidon...@gmail.com
---------------

Reply via email to