CVE-2020-13922

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.mail-archive.com/announce%40apache.org/msg06076.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:dolphinscheduler:1.2.0:::::::*
	cpe:2.3:a:apache:dolphinscheduler:1.2.1:::::::*
	cpe:2.3:a:apache:dolphinscheduler:1.3.1:::::::*

History

No history.

Information

Published : 2021-01-11 10:15

Updated : 2023-11-07 03:16

NVD link : CVE-2020-13922

Mitre link : CVE-2020-13922

CVE.ORG link : CVE-2020-13922

JSON object : View

Products Affected

apache

dolphinscheduler

CWE

CWE-276

Incorrect Default Permissions

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2020-13922", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-01-11T10:15:13.283", "references": [{"url": "https://www.mail-archive.com/announce%40apache.org/msg06076.html", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface."}, {"lang": "es", "value": "Las versiones de Apache DolphinScheduler anteriores a 1.3.2, permit\u00edan a un usuario normal bajo cualquier inquilino anular la contrase\u00f1a de otro usuario por medio de la interfaz de la API"}], "lastModified": "2023-11-07T03:16:59.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F2A61CF-878B-430F-81B0-EBFA5CAC268B"}, {"criteria": "cpe:2.3:a:apache:dolphinscheduler:1.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "008CAFE2-E837-4945-95A0-2BF8667AD14F"}, {"criteria": "cpe:2.3:a:apache:dolphinscheduler:1.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C6F5E98-BC52-4B9F-B30A-C31E0E5CBB9D"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}