In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
References
| Link | Resource |
|---|---|
| http://www.openwall.com/lists/oss-security/2021/11/19/1 | Third Party Advisory |
| https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E | Mailing List Mitigation Vendor Advisory |
Configurations
History
31 Jan 2024, 10:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE |
20 Nov 2021, 01:57
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
| CPE | cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:* | |
| CWE | CWE-273 | |
| References | (MLIST) http://www.openwall.com/lists/oss-security/2021/11/19/1 - Third Party Advisory | |
| References | (MISC) https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E - Mailing List, Mitigation, Vendor Advisory |
19 Nov 2021, 13:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
19 Nov 2021, 10:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-11-19 10:15
Updated : 2024-01-31 10:15
NVD link : CVE-2021-36372
Mitre link : CVE-2021-36372
CVE.ORG link : CVE-2021-36372
JSON object : View
Products Affected
apache
- ozone
CWE
CWE-273
Improper Check for Dropped Privileges