Description

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/5

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E

Related Vulnerabilities

CVE-2022-21704 Vulnerability in npm package log4js

CVE-2014-10066 Vulnerability in npm package fancy-server

CVE-2022-25167 Vulnerability in maven package org.apache.flume:flume-parent

CVE-2021-45029 Vulnerability in maven package org.apache.shenyu:shenyu-common

CVE-2021-40110 Vulnerability in maven package org.apache.james:james-server

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Third Party Advisory Mailing List Vendor Advisory