GHSA-5993-wwpg-m92c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5993-wwpg-m92c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-5993-wwpg-m92c/GHSA-5993-wwpg-m92c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5993-wwpg-m92c
- Aliases
- Published
- 2021-11-23T17:56:45Z
- Modified
- 2024-02-16T08:23:18.558163Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Apache Ozone user impersonation due to non-validation of Ozone S3 tokens
- Details
-
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
- Database specific
{ "nvd_published_at": "2021-11-19T10:15:00Z", "cwe_ids": [ "CWE-862", "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-11-22T19:05:30Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-39236
- https://github.com/apache/ozone/pull/1871
- https://github.com/apache/ozone/commit/60e078729e18ef1be276f35659957ac553d266f7
- https://github.com/apache/ozone
- https://issues.apache.org/jira/browse/HDDS-4763
- https://lists.apache.org/thread/q0lhspolnwfbsw33w98b7b1923n1np4d
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/7
Affected packages
Maven / org.apache.hadoop:hadoop-ozone-ozone-manager
Package
- Name
- org.apache.hadoop:hadoop-ozone-ozone-manager
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.hadoop/hadoop-ozone-ozone-manager