CVE-2020-13922

CWE-264 CWE-276 — Incorrect Default Permissions5 documents4 sources

Severity

6.5MEDIUM

EPSS

0.8%

top 25.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dolphinscheduler Apache Dolphinscheduler

Timeline

PublishedJan 11

Latest updateFeb 9

Description

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.dolphinscheduler:dolphinscheduler-api< 1.3.2

▶CVEListV5apache_software_foundation/apache_dolphinschedulerApache DolphinScheduler — 1.3.2

▶NVDapache/dolphinscheduler1.2.0, 1.2.1, 1.3.1+2

🔴Vulnerability Details

OSV

Incorrect Default Permissions in Apache DolphinScheduler↗2022-02-09

▶

GHSA

Incorrect Default Permissions in Apache DolphinScheduler↗2022-02-09

▶

CVEList

Apache DolphinScheduler (incubating) Permission vulnerability↗2021-01-11

▶

OSV

CVE-2020-13922: Versions of Apache DolphinScheduler prior to 1↗2021-01-11

▶