CVE-2021-36372

CRITICAL9.8EPSS 0.34%

Improper Privilege Management in Apache Ozone

發布日:2021/11/23修改日:2024/1/31

描述

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

受影響套件(1)

Maven/org.apache.ozone:ozone-mainfrom 0, < 1.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-36372
PATCHhttps://github.com/apache/ozone
WEBhttps://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
WEBhttp://www.openwall.com/lists/oss-security/2021/11/19/1