CVE-2021-39235 Vulnerability in maven package org.apache.ozone:ozone-main

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/6

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E

Related Vulnerabilities

CVE-2018-1000836 Vulnerability in maven package org.bedework.caleng:bw-calendar-engine-impl

CVE-2019-10364 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2022-38398 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge

CVE-2022-45397 Vulnerability in maven package org.jenkins-ci.plugins:osf-builder-suite-xml-linter

CVE-2017-12629 Vulnerability in maven package org.apache.solr:solr-core

Severity

High

Classification

CWE-732 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N