Lucene search
+L

121 matches found

Prion
Prion
added 2021/11/19 10:15 a.m.28 views

Design/Logic Flaw

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

6.4CVSS9.1AI score0.02296EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.20 views

Code injection

In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints...

5CVSS5.2AI score0.02315EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.21 views

Design/Logic Flaw

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins...

6.5CVSS8.6AI score0.01632EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.20 views

Code injection

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block...

4CVSS6.5AI score0.01501EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.20 views

Code injection

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user...

6.5CVSS8.7AI score0.02483EPSS
Exploits1References3Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.21 views

Design/Logic Flaw

In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client...

6.4CVSS9.2AI score0.02296EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2021/11/19 10:15 a.m.15 views

Design/Logic Flaw

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL...

4.9CVSS6.6AI score0.01367EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/11/19 9:20 a.m.60 views

CVE-2021-41532

Apache Ozone prior to 1.2.0 has an access-control flaw: Recon HTTP endpoints expose OM, SCM and Datanode metadata to unauthenticated users due to a bug. Affected component is Recon HTTP endpoints in Ozone; root cause is insufficient access controls allowing data exposure. Impact is exposure of me...

5.3CVSS5.2AI score0.02315EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/11/19 9:20 a.m.61 views

CVE-2021-39236

Apache Ozone (before 1.2.0) is affected. Authenticated users with valid Ozone S3 credentials can create specific OM requests and impersonate other users due to non-validation/inadequate protection of Ozone S3 tokens. Exploitation details are described across multiple sources (including CVE-2021-3...

8.8CVSS8.7AI score0.02483EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.26 views

CVE-2021-39236 Owners of the S3 tokens are not validated

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user...

8.9AI score0.02483EPSS
Exploits1References3
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.28 views

CVE-2021-39235 Access mode of block tokens are not enforced

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block...

6.7AI score0.01501EPSS
Exploits0References2
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.21 views

CVE-2021-39234 Raw block data can be read bypassing ACL/authorization

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL...

6.8AI score0.01367EPSS
Exploits0References2
CVE
CVE
added 2021/11/19 9:20 a.m.51 views

CVE-2021-39234

CVE-2021-39234 affects Apache Ozone up to version 1.2.0. The vulnerability allows an authenticated user who knows the ID of an existing block to craft a request that accesses that block, bypassing ACL and other security checks. This is a block-access control error in the Ozone identity/authorizat...

6.8CVSS6.5AI score0.01367EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.31 views

CVE-2021-39233 Container-related datanode operations can be called without authorization

In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client...

9.4AI score0.02296EPSS
Exploits0References2
CVE
CVE
added 2021/11/19 9:20 a.m.48 views

CVE-2021-39233

In Apache Ozone, versions prior to 1.2.0 expose a security issue where Container related Datanode requests are not properly authorized and can be invoked by any client. The vulnerability impacts confidentiality and integrity, with CVSS up to 9.1 (CRITICAL) in the 3.1 vector, but no exploitation d...

9.1CVSS9.2AI score0.02296EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.30 views

CVE-2021-39232 Missing admin check for SCM related admin commands

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins...

8.9AI score0.01632EPSS
Exploits0References2
CVE
CVE
added 2021/11/19 9:20 a.m.57 views

CVE-2021-39232

Apache Ozone (versions prior to 1.2.0) is affected by an authorization issue where certain admin SCM commands can be executed by any authenticated user, effectively an authorization bypass. The vulnerability is described across multiple sources (NVD, Red Hat, OSV, GHSA, CNVD, Veracode) with the c...

8.8CVSS8.7AI score0.01632EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.37 views

CVE-2021-39231 Missing authentication/authorization on internal RPC endpoints

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

9.4AI score0.02296EPSS
Exploits0References2
CVE
CVE
added 2021/11/19 9:20 a.m.57 views

CVE-2021-39231

CVE-2021-39231 affects Apache Ozone

9.1CVSS9.2AI score0.02296EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/11/19 9:20 a.m.38 views

CVE-2021-36372 Original block tokens are persisted and can be retrieved

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked...

9.5AI score0.02445EPSS
Exploits0References2
Rows per page
Query Builder