CVE-2021-39235 – org.apache.ozone:ozone-main

Package

Manager: maven
Name: org.apache.ozone:ozone-main
Vulnerable Version: >=0 <1.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00498 pctl0.64892

Details

Incorrect permissions in Apache Ozone In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Metadata

Created: 2021-11-23T18:17:41Z
Modified: 2023-11-14T21:48:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-c6j7-4fr9-c76p/GHSA-c6j7-4fr9-c76p.json
CWE IDs: ["CWE-732"]
Alternative ID: GHSA-c6j7-4fr9-c76p
Finding: F039
Auto approve: 1