CVE-2020-17517

Published: Apr 27, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

Affected (1)

Products: Apache: Ozone

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ozone	Before 1.1.0

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.