Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NmZoLWo1OG0tN3BmNc0XvA
Improper Privilege Management in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Permalink: https://github.com/advisories/GHSA-86fh-j58m-7pf5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NmZoLWo1OG0tN3BmNc0XvA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: 12 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00395
EPSS Percentile: 0.73111
Identifiers: GHSA-86fh-j58m-7pf5, CVE-2021-36372
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36372
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/1
- https://github.com/advisories/GHSA-86fh-j58m-7pf5
Affected Packages
maven:org.apache.ozone:ozone-main
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1