Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/1

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Related Vulnerabilities

CVE-2016-10534 Vulnerability in npm package electron-packager

CVE-2017-7688 Vulnerability in maven package org.apache.openmeetings:openmeetings-core

CVE-2022-22965 Vulnerability in maven package org.springframework:spring-webmvc

CVE-2020-2163 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-15119 Vulnerability in npm package auth0-lock

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Mailing List Mitigation Vendor Advisory NVD-CWE-noinfo