CVE-2021-39235

Published: Nov 19, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Affected (1)

Products: Apache: Ozone

Apache

1 product

Ozone

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ozone	Before 1.2.0

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

http://www.openwall.com/lists/oss-security/2021/11/19/6

Source: security@apache.org

Mailing ListThird Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2021/11/19/6

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.