Severity: Important Vendor: The Apache Software Foundation
Versions Affected: DolphinScheduler 1.2.0 1.2.1 1.3.1 Description: The vulnerability discovered is that ordinary user under any tenant can override other user's password through api interface /dolphinscheduler/users/update Mitigation: 1.2.0 、1.2.1 and 1.3.1 users should upgrade to >=1.3.2 Example: An Attacker can get admin permission in the DolphinScheduler System through api interface:id=1&userName=admin&userPassword=Password1!&tenantId=1&email=sdluser%40sdluser.sdluser&phone= Credit: This issue was discovered by xuxiang of DtDream security Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai 代立冬 dailidon...@gmail.com --------------- Best Regards --------------- DolphinScheduler(Incubator) PPMC Lidong Dai 代立冬 dailidon...@gmail.com ---------------