11 matches found
CVE-2024-45106
CVE-2024-45106 describes an authentication flaw in the S3 Gateway of Apache Ozone 1.4.0 , where an authenticated Kerberos user can revoke and regenerate another user’s S3 secrets if: ozone.s3g.secret.http.enabled is true (default is false) the Kerberos principal is listed in ozone.s3.administrato...
CVE-2021-36372
Apache Ozone (versions prior to 1.2.0) contains a token handling flaw: initially generated block tokens are persisted in the metadata database and can be retrieved by authenticated users with permission to the key, allowing use of tokens even after access is revoked. This is described across mult...
CVE-2021-39235
CVE-2021-39235 affects Apache Ozone prior to 1.2.0. The vulnerability stems from Ozone Datanode not validating the block token’s access mode parameter, allowing authenticated users with a valid READ token to perform write operations on the same block. This issue is consistently described across N...
CVE-2021-39236
Apache Ozone (before 1.2.0) is affected. Authenticated users with valid Ozone S3 credentials can create specific OM requests and impersonate other users due to non-validation/inadequate protection of Ozone S3 tokens. Exploitation details are described across multiple sources (including CVE-2021-3...
CVE-2021-41532
Apache Ozone prior to 1.2.0 has an access-control flaw: Recon HTTP endpoints expose OM, SCM and Datanode metadata to unauthenticated users due to a bug. Affected component is Recon HTTP endpoints in Ozone; root cause is insufficient access controls allowing data exposure. Impact is exposure of me...
CVE-2021-39232
Apache Ozone (versions prior to 1.2.0) is affected by an authorization issue where certain admin SCM commands can be executed by any authenticated user, effectively an authorization bypass. The vulnerability is described across multiple sources (NVD, Red Hat, OSV, GHSA, CNVD, Veracode) with the c...
CVE-2021-39231
CVE-2021-39231 affects Apache Ozone
CVE-2020-17517
The CVE-2020-17517 entry affects Apache Ozone prior to 1.1.0, where the S3 gateway/cluster allowed anonymous access to buckets and keys via curl or unauthenticated HTTP requests. This is a authorization/config issue that enables data exposure to unauthenticated users. The practical impact is data...
CVE-2021-39234
CVE-2021-39234 affects Apache Ozone up to version 1.2.0. The vulnerability allows an authenticated user who knows the ID of an existing block to craft a request that accesses that block, bypassing ACL and other security checks. This is a block-access control error in the Ozone identity/authorizat...
CVE-2021-39233
In Apache Ozone, versions prior to 1.2.0 expose a security issue where Container related Datanode requests are not properly authorized and can be invoked by any client. The vulnerability impacts confidentiality and integrity, with CVSS up to 9.1 (CRITICAL) in the 3.1 vector, but no exploitation d...
CVE-2023-39196
CVE-2023-39196 describes an improper authentication vulnerability in Apache Ozone (affecting 1.2.0 up to 1.3.0). The issue allows an attacker to download internal metadata from the Storage Container Manager service without authenticating, but does not permit modification or access to actual user ...