Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/1

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Related Vulnerabilities

CVE-2018-18389 Vulnerability in maven package org.neo4j:neo4j-security-enterprise

CVE-2021-21413 Vulnerability in npm package isolated-vm

CVE-2018-6561 Vulnerability in maven package org.webjars.bowergithub.dojo:dijit

CVE-2017-15095 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-2235 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Mailing List Mitigation Vendor Advisory NVD-CWE-noinfo