Description
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/1
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
Related Vulnerabilities
CVE-2022-36905 Vulnerability in maven package eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin
CVE-2022-25350 Vulnerability in npm package puppet-facter
CVE-2022-22984 Vulnerability in npm package @snyk/snyk-hex-plugin
CVE-2022-23712 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2021-23899 Vulnerability in maven package com.mikesamuel:json-sanitizer