CVE-2021-36372 – org.apache.ozone:ozone-main

Package

Manager: maven
Name: org.apache.ozone:ozone-main
Vulnerable Version: >=0 <1.2.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00628 pctl0.6935

Details

Improper Privilege Management in Apache Ozone In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Metadata

Created: 2021-11-23T17:57:14Z
Modified: 2024-01-31T15:13:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-86fh-j58m-7pf5/GHSA-86fh-j58m-7pf5.json
CWE IDs: ["CWE-273"]
Alternative ID: GHSA-86fh-j58m-7pf5
Finding: F159
Auto approve: 1