Description
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/5
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
Related Vulnerabilities
CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap
CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.transform.xpath
CVE-2020-9497 Vulnerability in maven package org.apache.guacamole:guacamole
CVE-2016-9487 Vulnerability in maven package org.idpf:epubcheck
CVE-2020-5413 Vulnerability in maven package org.springframework.integration:spring-integration