CVE-2023-39196

Опубликовано: 07 фев. 2024

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Improper Authentication vulnerability in Apache Ozone.

The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.

Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/02/07/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky
Issue Tracking
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/07/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*

Версия от 1.2.0 (включая) до 1.3.0 (включая)

EPSS

Процентиль: 31%

0.00118

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-6726-2rx3-cgwh