CVE-2021-39235

MEDIUM6.5EPSS 0.20%

Incorrect permissions in Apache Ozone

Published: 11/23/2021Modified: 11/14/2023

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Affected packages (1)

Maven/org.apache.ozone:ozone-mainfrom 0, < 1.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39235
PATCHhttps://github.com/apache/ozone
WEBhttps://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
WEBhttp://www.openwall.com/lists/oss-security/2021/11/19/6