Description

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

Remediation

References

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E

http://www.openwall.com/lists/oss-security/2021/11/19/5

Related Vulnerabilities

CVE-2022-41854 Vulnerability in maven package org.yaml:snakeyaml

CVE-2023-29019 Vulnerability in npm package @fastify/passport

CVE-2023-43501 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2020-27216 Vulnerability in maven package jetty:jetty

CVE-2023-25157 Vulnerability in maven package org.geoserver.community:gs-jdbcconfig

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Vendor Advisory Third Party Advisory