CVE-2021-39235
MEDIUMApache Ozone < 1.2.0 - Incorrect Permission Assignment
Title source: ruleDescription
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/19/6
Scores
CVSS v3
6.5
EPSS
0.0037
EPSS Percentile
58.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (2)
apache/ozone
< 1.2.0
org.apache.ozone/ozone-main
0 - 1.2.0Maven
Published
Nov 19, 2021
Tracked Since
Feb 18, 2026