CVE-2021-39234

Published: Nov 19, 2021Modified: Nov 21, 2024

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: NVD

Description

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

Affected (1)

Products: Apache: Ozone

Apache

1 product

Ozone

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ozone	Before 1.2.0

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

http://www.openwall.com/lists/oss-security/2021/11/19/5

Source: security@apache.org

Third Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2021/11/19/5

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.