Description
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/5
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
Related Vulnerabilities
CVE-2017-1000188 Vulnerability in maven package org.webjars.npm:ejs
CVE-2013-5960 Vulnerability in maven package org.owasp.esapi:esapi
CVE-2019-10785 Vulnerability in npm package dojox
CVE-2021-44138 Vulnerability in maven package com.caucho:resin
CVE-2017-4974 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common