CVE-2021-39236

CWE-862Missing AuthorizationCWE-863Incorrect Authorization4 documents4 sources
Severity
8.8HIGH
EPSS
0.6%
top 29.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache OzoneApache Software Foundation Apache Ozone
Timeline
PublishedNov 19
Latest updateNov 23

Description

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDapache/ozone< 1.2.0

🔴Vulnerability Details

3
OSV
Apache Ozone user impersonation due to non-validation of Ozone S3 tokens2021-11-23
GHSA
Apache Ozone user impersonation due to non-validation of Ozone S3 tokens2021-11-23
CVEList
Owners of the S3 tokens are not validated2021-11-19
CVE-2021-39236 (HIGH CVSS 8.8) | In Apache Ozone before 1.2.0 | cvebase.io