Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Remediation

References

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

http://www.openwall.com/lists/oss-security/2021/11/19/1

Related Vulnerabilities

CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso

CVE-2022-26884 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server

CVE-2023-26473 Vulnerability in maven package org.xwiki.platform:xwiki-platform-query-manager

CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-dao

Severity

Critical

Classification

CWE-273 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Mitigation Vendor Advisory Third Party Advisory