Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/1

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Related Vulnerabilities

CVE-2020-10719 Vulnerability in maven package io.undertow:undertow-core

CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.r4b

CVE-2020-35214 Vulnerability in maven package io.atomix:atomix

CVE-2009-0783 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2021-41862 Vulnerability in maven package com.googlecode.aviator:aviator

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Mailing List Mitigation Vendor Advisory NVD-CWE-noinfo