CVE-2023-39196
MEDIUMApache Ozone 1.2.0-1.3.0 - Unauthenticated Metadata Disclosure in Storage Container Manager
Title source: llmDescription
Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/02/07/2
Issue Tracking, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky
Scores
CVSS v3
5.3
EPSS
0.0009
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (2)
apache/ozone
1.2.0 - 1.3.0
org.apache.ozone/ozone-main
1.2.0 - 1.4.0Maven
Published
Feb 07, 2024
Tracked Since
Feb 18, 2026