RSS   Vulnerabilities for 'Ozone'   RSS

2021-11-19
 
CVE-2021-36372

CWE-273
 

 
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

 
 
CVE-2021-39231

CWE-668
 

 
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

 
 
CVE-2021-39232

CWE-863
 

 
In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

 
 
CVE-2021-39233

CWE-863
 

 
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.

 
 
CVE-2021-39234

CWE-863
 

 
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

 
 
CVE-2021-39235

CWE-732
 

 
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

 
 
CVE-2021-39236

CWE-287
 

 
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

 
 
CVE-2021-41532

CWE-668
 

 
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

 

 >>> Vendor: Apache 247 Products
Http server
Tomcat
Jserv
Mod python
Traffic server
Openoffice
Cocoon
Spamassassin
Subversion
Jspwiki
Xerces-c++
James
Mod auth radius
Coyote http connector
Mod imap
Struts
Derby
Libapreq2
Jetspeed
Geronimo
FLEX
Log4net
Open for business project
Opentaps
Apache http server
Tomcat jk web server connector
Apache test
Mod perl
AXIS
Myfaces tomahawk
Storm
Jakarta slide
Openoffice.org
Mod jk
Apache webserver
Roller
Apr-util
Jackrabbit
Tiles
Portable runtime
APR
SOLR
QPID
Couchdb
Axis2
Activemq
Myfaces
CXF
Archiva
Shiro
Mod fcgid
Libcloud
Continuum
Httpclient
Rampart/c
Wicket
Apache commons daemon
Http server2.0a1
Http server2.0a2
Http server2.0a3
Http server2.0a4
Http server2.0a5
Http server2.0a6
Http server2.0a7
Http server2.0a8
Http server2.0a9
Hadoop
Commons-compress
Org.apache.sling.servlets.post
POI
Guacamole
Cloudstack
Commons-httpclient
Commons fileupload
RAVE
Maven
Openjpa
Struts2-showcase
Xml security for c++
Xml security for java
Camel
Shindig
Sling auth core component
Sling
Mod dontdothat
Mod dav svn
Cordova
Xalan-java
Zookeeper
Syncope
Harmony
Hbase
Httpasyncclient
Ofbiz
Apache axis2/c
Wss4j
Mod auth mellon
HIVE
Xml security
Santuario xml security for java
See all Products for Vendor Apache


Copyright 2024, cxsecurity.com

 

Back to Top