CVE-2021-39233

CWE-306 — Missing Authentication CWE-863 — Incorrect Authorization4 documents4 sources

Severity

9.1CRITICAL

EPSS

1.2%

top 21.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ozone Apache Software Foundation Apache Ozone

Timeline

PublishedNov 19

Latest updateNov 23

Description

In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/ozone< 1.2.0

▶Mavenorg.apache.ozone:ozone-main< 1.2.0

▶CVEListV5apache_software_foundation/apache_ozone1.1 — 1.1

🔴Vulnerability Details

GHSA

Incorrect Authorization in Apache Ozone↗2021-11-23

▶

OSV

Incorrect Authorization in Apache Ozone↗2021-11-23

▶

CVEList

Container-related datanode operations can be called without authorization↗2021-11-19

▶