CVE-2021-36372

Опубликовано: 19 нояб. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Ссылки

http://www.openwall.com/lists/oss-security/2021/11/19/1
Third Party Advisory
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
Mailing List
Mitigation
Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/19/1
Third Party Advisory
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
Mailing List
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*

Версия до 1.2.0 (исключая)

EPSS

Процентиль: 70%

0.00628

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-273

Связанные уязвимости

GHSA-86fh-j58m-7pf5