CVE-2021-36372

CWE-2734 documents4 sources

Severity

9.8CRITICAL

EPSS

0.6%

top 29.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ozone Apache Software Foundation Apache Ozone

Timeline

PublishedNov 19

Latest updateNov 23

Description

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/ozone< 1.2.0

▶Mavenorg.apache.ozone:ozone-main< 1.2.0

▶CVEListV5apache_software_foundation/apache_ozone1.1 — 1.1

🔴Vulnerability Details

OSV

Improper Privilege Management in Apache Ozone↗2021-11-23

▶

GHSA

Improper Privilege Management in Apache Ozone↗2021-11-23

▶

CVEList

Original block tokens are persisted and can be retrieved↗2021-11-19

▶