Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/1

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Related Vulnerabilities

CVE-2021-30246 Vulnerability in maven package org.webjars.npm:jsrsasign

CVE-2011-4838 Vulnerability in maven package jruby:jruby

CVE-2016-10542 Vulnerability in npm package ws

CVE-2016-5007 Vulnerability in maven package org.springframework.security:spring-security-web

CVE-2022-38370 Vulnerability in maven package org.apache.iotdb:iotdb-grafana-connector

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Mailing List Mitigation Vendor Advisory NVD-CWE-noinfo