CVE-2021-39235
MEDIUMApache Ozone < 1.2.0 - Authenticated Incorrect Permission Assignment for Critical Resource
Title source: llmDescription
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/19/6
Scores
CVSS v3
6.5
EPSS
0.0150
EPSS Percentile
71.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (2)
apache/ozone
< 1.2.0
org.apache.ozone/ozone-main
0 - 1.2.0Maven
Published
Nov 19, 2021
Tracked Since
Feb 18, 2026