Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zM3hoLXhjaDktcDZoas0XrQ
Incorrect Authorization in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
Permalink: https://github.com/advisories/GHSA-33xh-xch9-p6hjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zM3hoLXhjaDktcDZoas0XrQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00207
EPSS Percentile: 0.58824
Identifiers: GHSA-33xh-xch9-p6hj, CVE-2021-39233
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-39233
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/4
- https://github.com/advisories/GHSA-33xh-xch9-p6hj
Affected Packages
maven:org.apache.ozone:ozone-main
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1