Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/6
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Related Vulnerabilities
CVE-2019-14540 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-7721 Vulnerability in npm package node-oojs
CVE-2020-14062 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2022-25962 Vulnerability in npm package vagrant.js
CVE-2019-17563 Vulnerability in maven package org.apache.tomcat:tomcat-catalina