Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Remediation
References
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
http://www.openwall.com/lists/oss-security/2021/11/19/6
Related Vulnerabilities
CVE-2023-25761 Vulnerability in maven package org.jenkins-ci.plugins:junit
CVE-2022-44621 Vulnerability in maven package org.apache.kylin:kylin-server-base
CVE-2023-1108 Vulnerability in maven package io.undertow:undertow-core
CVE-2012-0803 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal
CVE-2020-11022 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery