Description
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/5
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
Related Vulnerabilities
CVE-2022-30506 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2020-7792 Vulnerability in maven package org.webjars:mout
CVE-2020-7662 Vulnerability in npm package websocket-extensions
CVE-2019-16869 Vulnerability in maven package io.netty:netty
CVE-2013-4590 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core