Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jNmo3LTRmcjktYzc2cM0Xqg

Incorrect permissions in Apache Ozone

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Permalink: https://github.com/advisories/GHSA-c6j7-4fr9-c76p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNmo3LTRmcjktYzc2cM0Xqg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00078
EPSS Percentile: 0.35544

Identifiers: GHSA-c6j7-4fr9-c76p, CVE-2021-39235
References: Blast Radius: 1.0

Affected Packages

maven:org.apache.ozone:ozone-main
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1