Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/6

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E

Related Vulnerabilities

CVE-2020-28271 Vulnerability in npm package deephas

CVE-2021-25646 Vulnerability in maven package org.apache.druid:druid-core

CVE-2018-1000536 Vulnerability in npm package medis

CVE-2022-39135 Vulnerability in maven package org.apache.calcite:calcite-core

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elasticsearch-8

Severity

High

Classification

CWE-732 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory