CVE-2020-17517

CWE-285CWE-306Missing AuthenticationCWE-862Missing Authorization3 documents3 sources
Severity
7.5HIGH
EPSS
0.4%
top 38.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache OzoneApache Software Foundation Apache Ozone
Timeline
PublishedApr 27
Latest updateMay 24

Description

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/ozone< 1.1.0
CVEListV5apache_software_foundation/apache_ozoneApache Ozone1.0.0

🔴Vulnerability Details

2
GHSA
GHSA-h253-pq36-ggpj: The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default2022-05-24
CVEList
Ozone S3 Gateway allows bucket and key access to non authenticated users2021-04-27
CVE-2020-17517 (HIGH CVSS 7.5) | The S3 buckets and keys in a secure | cvebase.io