Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/6
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Related Vulnerabilities
CVE-2020-6462 Vulnerability in npm package electron
CVE-2015-5237 Vulnerability in maven package com.google.protobuf:protobuf-java
CVE-2021-32859 Vulnerability in npm package baremetrics-calendar
CVE-2021-42550 Vulnerability in maven package ch.qos.logback:logback-core
CVE-2019-10374 Vulnerability in maven package org.jenkins-ci.plugins:pegdown-formatter