Vulnerabilites related to Apache Software Foundation - Apache Ozone
CVE-2021-36372 (GCVE-0-2021-36372)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 00:54
Severity ?
CWE
  • CWE-273 - Improper Check for Dropped Privileges
Summary
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:54:51.493Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1",
              "status": "affected",
              "version": "1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-273",
              "description": "CWE-273 Improper Check for Dropped Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T09:30:38.799Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
        }
      ],
      "source": {
        "defect": [
          "HDDS-5315"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Original block tokens are persisted and can be retrieved",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-36372",
          "STATE": "PUBLIC",
          "TITLE": "Original block tokens are persisted and can be retrieved"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.1",
                            "version_value": "1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-273 Improper Check for Dropped Privileges"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-5315"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-36372",
    "datePublished": "2021-11-19T09:20:16",
    "dateReserved": "2021-07-12T00:00:00",
    "dateUpdated": "2024-08-04T00:54:51.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39234 (GCVE-0-2021-39234)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 01:58
Severity ?
CWE
  • CWE-20 - Improper Input Validation
Summary
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:58:18.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1",
              "status": "affected",
              "version": "1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-19T12:07:00",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/5"
        }
      ],
      "source": {
        "defect": [
          "HDDS-5061"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Raw block data can be read bypassing ACL/authorization",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39234",
          "STATE": "PUBLIC",
          "TITLE": "Raw block data can be read bypassing ACL/authorization"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.1",
                            "version_value": "1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/5"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-5061"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39234",
    "datePublished": "2021-11-19T09:20:22",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T01:58:18.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-39196 (GCVE-0-2023-39196)
Vulnerability from cvelistv5
Published
2024-02-07 12:56
Modified
2025-02-13 17:02
CWE
  • CWE-287 - Improper Authentication
Summary
Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.
Impacted products
Vendor Product Version
Apache Software Foundation Apache Ozone Version: 1.2.0    1.3.0
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.517Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/07/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39196",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-11T19:21:58.313837Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T19:22:38.642Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.3.0",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Authentication vulnerability in Apache Ozone.\u003cbr\u003e\u003cbr\u003eThe vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication.\u003cbr\u003eThe attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability.\u003cbr\u003eThe accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.4.0, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Authentication vulnerability in Apache Ozone.\n\nThe vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication.\nThe attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability.\nThe accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.\nThis issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.\n\nUsers are recommended to upgrade to version 1.4.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-07T13:00:10.251Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/07/2"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-39196",
    "datePublished": "2024-02-07T12:56:29.534Z",
    "dateReserved": "2023-07-25T16:03:31.583Z",
    "dateUpdated": "2025-02-13T17:02:38.948Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-41532 (GCVE-0-2021-41532)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 03:15
Severity ?
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.
Impacted products
Vendor Product Version
Apache Software Foundation Apache Ozone Version: Everglades (1.1.0)   <
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:15:29.160Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1.0",
              "status": "affected",
              "version": "Everglades (1.1.0)",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Ethan Rose for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-19T12:06:50",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/8"
        }
      ],
      "source": {
        "defect": [
          "HDDS-5691"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated access to Ozone Recon HTTP endpoints",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-41532",
          "STATE": "PUBLIC",
          "TITLE": "Unauthenticated access to Ozone Recon HTTP endpoints"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Everglades (1.1.0)",
                            "version_value": "1.1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Ethan Rose for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/8"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-5691"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-41532",
    "datePublished": "2021-11-19T09:20:26",
    "dateReserved": "2021-09-20T00:00:00",
    "dateUpdated": "2024-08-04T03:15:29.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45106 (GCVE-0-2024-45106)
Vulnerability from cvelistv5
Published
2024-12-03 09:06
Modified
2024-12-03 15:52
Severity ?
CWE
  • CWE-287 - Improper Authentication
Summary
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-12-03T10:03:38.771Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/12/02/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:ozone:1.4.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ozone",
            "vendor": "apache",
            "versions": [
              {
                "status": "affected",
                "version": "1.4.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45106",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T14:13:05.462561Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-03T15:52:28.971Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.ozone:ozone-s3gateway",
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "1.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ethan Rose"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ivan Zlenko"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003ctt\u003eozone.s3g.secret.http.enabled\u003c/tt\u003e is set to \u003ctt\u003etrue\u003c/tt\u003e. The default value of this configuration is \u003ctt\u003efalse\u003c/tt\u003e.\u003c/li\u003e\u003cli\u003eThe user configured in \u003ctt\u003eozone.s3g.kerberos.principal\u003c/tt\u003e is also configured in \u003ctt\u003eozone.s3.administrators\u003c/tt\u003e or \u003ctt\u003eozone.administrators\u003c/tt\u003e.\u003c/li\u003e\u003c/ul\u003eUsers are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.\u003cbr\u003e"
            }
          ],
          "value": "Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if:\n  *  ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false.\n  *  The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.\n\n\nUsers are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-03T09:06:23.356Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/rylnxwttp004kvotpk9j158vb238pfkm"
        }
      ],
      "source": {
        "defect": [
          "HDDS-9203"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Apache Ozone: Improper authentication when generating S3 secrets",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-45106",
    "datePublished": "2024-12-03T09:06:23.356Z",
    "dateReserved": "2024-08-21T21:51:31.318Z",
    "dateUpdated": "2024-12-03T15:52:28.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39233 (GCVE-0-2021-39233)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 01:58
Severity ?
CWE
  • CWE-306 - cwe-306 Missing Authentication for Critical Function
Summary
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:58:18.231Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1",
              "status": "affected",
              "version": "1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": " cwe-306 Missing Authentication for Critical Function ",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-19T12:06:52",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/4"
        }
      ],
      "source": {
        "defect": [
          "HDDS-4729",
          "HDDS-5236"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Container-related datanode operations can be called without authorization",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39233",
          "STATE": "PUBLIC",
          "TITLE": "Container-related datanode operations can be called without authorization"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.1",
                            "version_value": "1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": " cwe-306 Missing Authentication for Critical Function "
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/4"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-4729",
            "HDDS-5236"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39233",
    "datePublished": "2021-11-19T09:20:20",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T01:58:18.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39231 (GCVE-0-2021-39231)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 01:58
Severity ?
CWE
Summary
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:58:18.341Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-15T08:42:23.703Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/2"
        }
      ],
      "source": {
        "defect": [
          "HDDS-4704",
          "HDDS-4730",
          "HDDS-4496",
          "HDDS-4788"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Missing authentication/authorization on internal RPC endpoints",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39231",
          "STATE": "PUBLIC",
          "TITLE": "Missing authentication/authorization on internal RPC endpoints"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.0",
                            "version_value": "1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/2"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-4704",
            "HDDS-4730",
            "HDDS-4496",
            "HDDS-4788"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39231",
    "datePublished": "2021-11-19T09:20:17",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T01:58:18.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39235 (GCVE-0-2021-39235)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 02:06
Severity ?
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:06:41.327Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone before 1.2.0, Ozone Datanode doesn\u0027t check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-13T12:47:55.398Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/6"
        }
      ],
      "source": {
        "defect": [
          "HDDS-4558",
          "HDDS-4644"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Access mode of block tokens are not enforced",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39235",
          "STATE": "PUBLIC",
          "TITLE": "Access mode of block tokens are not enforced"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.0",
                            "version_value": "1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone before 1.2.0, Ozone Datanode doesn\u0027t check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/6"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-4558",
            "HDDS-4644"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39235",
    "datePublished": "2021-11-19T09:20:23",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T02:06:41.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39232 (GCVE-0-2021-39232)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 01:58
Severity ?
CWE
Summary
In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:58:18.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "    Apache Ozone would like to thank Wei-Chiu Chuang for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-13T12:51:01.887Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/3"
        }
      ],
      "source": {
        "defect": [
          "HDDS-4530"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Missing admin check for SCM related admin commands",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39232",
          "STATE": "PUBLIC",
          "TITLE": "Missing admin check for SCM related admin commands"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.0",
                            "version_value": "1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "    Apache Ozone would like to thank Wei-Chiu Chuang for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/3"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-4530"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39232",
    "datePublished": "2021-11-19T09:20:19",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T01:58:18.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-17517 (GCVE-0-2020-17517)
Vulnerability from cvelistv5
Published
2021-04-27 08:22
Modified
2024-08-04 14:00
Severity ?
CWE
Summary
The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
Impacted products
Vendor Product Version
Apache Software Foundation Apache Ozone Version: Apache Ozone   <
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T14:00:48.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.0.0",
              "status": "affected",
              "version": "Apache Ozone",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Kota Uenishi for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-05T19:13:10",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Ozone S3 Gateway allows bucket and key access to non authenticated users ",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to the latest Apache Ozone 1.1.0 release."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-17517",
          "STATE": "PUBLIC",
          "TITLE": "Ozone S3 Gateway allows bucket and key access to non authenticated users "
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Ozone",
                            "version_value": "1.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Kota Uenishi for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285 Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to the latest Apache Ozone 1.1.0 release."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-17517",
    "datePublished": "2021-04-27T08:22:22",
    "dateReserved": "2020-08-12T00:00:00",
    "dateUpdated": "2024-08-04T14:00:48.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39236 (GCVE-0-2021-39236)
Vulnerability from cvelistv5
Published
2021-11-19 09:20
Modified
2024-08-04 02:06
Severity ?
CWE
Summary
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:06:40.807Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E"
          },
          {
            "name": "[oss-security] 20211118 CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/7"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/HDDS-4763"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ozone",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-05T09:54:07.722Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E"
        },
        {
          "name": "[oss-security] 20211118 CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/7"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://issues.apache.org/jira/browse/HDDS-4763"
        }
      ],
      "source": {
        "defect": [
          "HDDS-4763"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Owners of the S3 tokens are not validated",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-39236",
          "STATE": "PUBLIC",
          "TITLE": "Owners of the S3 tokens are not validated"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ozone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.0",
                            "version_value": "1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "cwe-20 Improper Input Validation "
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E",
              "refsource": "MISC",
              "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E"
            },
            {
              "name": "[oss-security] 20211118 CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/7"
            }
          ]
        },
        "source": {
          "defect": [
            "HDDS-4763"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-39236",
    "datePublished": "2021-11-19T09:20:25",
    "dateReserved": "2021-08-17T00:00:00",
    "dateUpdated": "2024-08-04T02:06:40.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}