Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/6
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Related Vulnerabilities
CVE-2020-25711 Vulnerability in maven package org.infinispan:infinispan-server-runtime
CVE-2021-23346 Vulnerability in maven package org.webjars.npm:html-parse-stringify2
CVE-2021-23472 Vulnerability in npm package bootstrap-table
CVE-2021-3807 Vulnerability in npm package ansi-regex
CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap