Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/6
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Related Vulnerabilities
CVE-2021-21666 Vulnerability in maven package org.jenkins-ci.plugins:kiuwanjenkinsplugin
CVE-2019-11819 Vulnerability in maven package org.opencms:org.opencms.workplace.tools.accounts
CVE-2021-40690 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2020-7736 Vulnerability in npm package bmoor
CVE-2023-40341 Vulnerability in maven package io.jenkins.blueocean:blueocean