CVE-2021-39234

CWE-20 — Improper Input Validation CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.8MEDIUM

EPSS

0.2%

top 57.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ozone Apache Software Foundation Apache Ozone

Timeline

PublishedNov 19

Latest updateNov 23

Description

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/ozone< 1.2.0

▶Mavenorg.apache.ozone:ozone-main< 1.2.0

▶CVEListV5apache_software_foundation/apache_ozone1.1 — 1.1

🔴Vulnerability Details

GHSA

Incorrect Authorization in Apache Ozone↗2021-11-23

▶

OSV

Incorrect Authorization in Apache Ozone↗2021-11-23

▶

CVEList

Raw block data can be read bypassing ACL/authorization↗2021-11-19

▶