Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jOGN3LTJjNWoteGZmM80Xvw
Incorrect Authorization in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Permalink: https://github.com/advisories/GHSA-c8cw-2c5j-xff3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOGN3LTJjNWoteGZmM80Xvw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00074
EPSS Percentile: 0.34511
Identifiers: GHSA-c8cw-2c5j-xff3, CVE-2021-39234
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-39234
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/5
- https://github.com/advisories/GHSA-c8cw-2c5j-xff3
Affected Packages
maven:org.apache.ozone:ozone-main
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1