Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNmo3LTRmcjktYzc2cM0Xqg
Incorrect permissions in Apache Ozone
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Permalink: https://github.com/advisories/GHSA-c6j7-4fr9-c76pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNmo3LTRmcjktYzc2cM0Xqg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00078
EPSS Percentile: 0.35544
Identifiers: GHSA-c6j7-4fr9-c76p, CVE-2021-39235
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-39235
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/6
- https://github.com/advisories/GHSA-c6j7-4fr9-c76p
Affected Packages
maven:org.apache.ozone:ozone-main
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1