CVE-2020-17517

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*

History

05 Aug 2022, 17:12

Type Values Removed Values Added
CWE CWE-862 CWE-306

07 May 2021, 17:53

Type Values Removed Values Added
CWE CWE-862
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
References (MISC) https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E - (MISC) https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E - Mailing List, Vendor Advisory
CPE cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*

06 May 2021, 13:15

Type Values Removed Values Added
Summary The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release. Improper Authorization vulnerability in __COMPONENT__ of Apache Ozone allows an attacker to __IMPACT__. This issue affects Apache Ozone Apache Ozone version 1.0.0 and prior versions. The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
References
  • {'url': 'https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa@%3Cdev.ozone.apache.org%3E', 'name': '[ozone-dev] 20210427 CVE-2020-17517: Apache Ozone: Ozone S3 Gateway allows bucket and key access to non authenticated users', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://github.com/CVEProject/cvelist/pull/1455', 'name': 'https://github.com/CVEProject/cvelist/pull/1455', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'http://www.openwall.com/lists/oss-security/2021/04/27/1', 'name': '[oss-security] 20210427 CVE-2020-17517: Apache Ozone: Ozone S3 Gateway allows bucket and key access to non authenticated users', 'tags': [], 'refsource': 'MLIST'}

05 May 2021, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa@%3Cdev.ozone.apache.org%3E -
  • (MISC) https://github.com/CVEProject/cvelist/pull/1455 -
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/04/27/1 -

27 Apr 2021, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-04-27 09:15

Updated : 2023-12-10 13:55


NVD link : CVE-2020-17517

Mitre link : CVE-2020-17517

CVE.ORG link : CVE-2020-17517


JSON object : View

Products Affected

apache

  • ozone
CWE
CWE-306

Missing Authentication for Critical Function

CWE-285

Improper Authorization