Description
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Remediation
References
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
http://www.openwall.com/lists/oss-security/2021/11/19/1
Related Vulnerabilities
CVE-2023-0842 Vulnerability in npm package xml2js
CVE-2022-23532 Vulnerability in maven package org.neo4j.procedure:apoc
CVE-2021-41182 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui
CVE-2019-10387 Vulnerability in maven package com.xebialabs.xlt.ci:xltestview-plugin
CVE-2022-34178 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status