Lucene search
GoogleOSV:GHSA-5993-WWPG-M92CHistoryNov 23, 2021 - 5:56 p.m.
Apache Ozone user impersonation due to non-validation of Ozone S3 tokens
2021-11-2317:56:45
Google
osv.dev
34
apache ozone
user impersonation
s3 tokens
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
References
www.openwall.com/lists/oss-security/2021/11/19/7
github.com/apache/ozone
github.com/apache/ozone/commit/60e078729e18ef1be276f35659957ac553d266f7
github.com/apache/ozone/pull/1871
issues.apache.org/jira/browse/HDDS-4763
lists.apache.org/thread/q0lhspolnwfbsw33w98b7b1923n1np4d
mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-39236
Related
github
github
Apache Ozone user impersonation due to non-validation of Ozone S3 tokens
2021-11-23 17:56:45
nvd
nvd
CVE-2021-39236
2021-11-19 10:15:08
cnvd
cnvd
Apache Ozone Licensing Issue Vulnerability (CNVD-2021-91629)
2021-11-24 00:00:00
cvelist
cvelist
CVE-2021-39236 Owners of the S3 tokens are not validated
2021-11-19 09:20:25
veracode
veracode
User Impersonation
2021-11-22 16:51:25
osv
osv
CVE-2021-39236
2021-11-19 10:15:08
prion
prion
Code injection
2021-11-19 10:15:00
cve
cve
CVE-2021-39236
2021-11-19 10:15:08