CVE-2021-39231Missing Authorization in Apache Ozone

CWE-862Missing AuthorizationCWE-668Resource Exposure4 documents4 sources
Severity
9.1CRITICALNVD
EPSS
1.2%
top 20.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache OzoneApache Software Foundation Apache Ozone
Timeline
PublishedNov 19
Latest updateNov 23

Description

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDapache/ozone< 1.2.0

🔴Vulnerability Details

3
OSV
Exposure of sensitive information in Apache Ozone2021-11-23
GHSA
Exposure of sensitive information in Apache Ozone2021-11-23
CVEList
Missing authentication/authorization on internal RPC endpoints2021-11-19
CVE-2021-39231 — Missing Authorization in Apache Ozone | cvebase