Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/6
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Related Vulnerabilities
CVE-2020-6429 Vulnerability in npm package electron
CVE-2022-45390 Vulnerability in maven package io.loader:loaderio-jenkins-plugin
CVE-2021-46037 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2019-1003050 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-42468 Vulnerability in maven package org.apache.flume.flume-ng-sources:flume-jms-source