CVE-2021-39235 — Incorrect Permission Assignment in Apache Ozone

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ozone Apache Software Foundation Apache Ozone

Timeline

PublishedNov 19

Latest updateNov 23

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/ozone< 1.2.0

▶CVEListV5apache_software_foundation/apache_ozone1.0 — 1.0

🔴Vulnerability Details

OSV

Incorrect permissions in Apache Ozone↗2021-11-23

▶

GHSA

Incorrect permissions in Apache Ozone↗2021-11-23

▶

CVEList

Access mode of block tokens are not enforced↗2021-11-19

▶