Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
http://www.openwall.com/lists/oss-security/2021/11/19/6
Related Vulnerabilities
CVE-2023-28158 Vulnerability in maven package org.apache.archiva:archiva-web-common
CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.utilities
CVE-2023-40341 Vulnerability in maven package io.jenkins.blueocean:blueocean
CVE-2023-48309 Vulnerability in npm package next-auth
CVE-2021-21290 Vulnerability in maven package io.netty:netty-codec-http