Description
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/5
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
Related Vulnerabilities
CVE-2020-6464 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-9515 Vulnerability in maven package io.netty:netty-codec-http2
CVE-2018-14719 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2022-25893 Vulnerability in npm package vm2
CVE-2020-2135 Vulnerability in maven package org.jenkins-ci.plugins:script-security