CVE-2020-13922

MEDIUM

Apache DolphinScheduler < 1.3.2 - Unauthenticated Password Override via API Interface

Title source: llm

Description

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

References (1)

Core 1

Core References

Mailing List x_refsource_misc

https://www.mail-archive.com/announce%40apache.org/msg06076.html

Scores

CVSS v3 6.5

EPSS 0.0083

EPSS Percentile 74.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-276 CWE-264

Status published

Products (4)

apache/dolphinscheduler 1.2.0

apache/dolphinscheduler 1.2.1

apache/dolphinscheduler 1.3.1

org.apache.dolphinscheduler/dolphinscheduler-api 0 - 1.3.2Maven

Published Jan 11, 2021

Tracked Since Feb 18, 2026