CVE-2021-39235 Vulnerability in maven package org.apache.ozone:ozone-main

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/19/6

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E

Related Vulnerabilities

CVE-2021-43090 Vulnerability in maven package com.predic8:soa-model-core

CVE-2020-15366 Vulnerability in maven package org.webjars.npm:ajv

CVE-2019-1003093 Vulnerability in maven package org.jenkins-ci.plugins:nomad

CVE-2021-41184 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

CVE-2019-10786 Vulnerability in npm package network-manager

Severity

High

Classification

CWE-732 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N