hadoop-ozone-client is vulnerable to privilege escalation. An attacker can use a curl command or an unauthenticated HTTP request to access S3 buckets and keys in a secure Apache Ozone Cluster, thereby allowing unauthorized access to buckets and keys resulting in exposure of data to anonymous clients or users.
www.openwall.com/lists/oss-security/2021/04/27/1
github.com/apache/ozone/commit/cda430aac7a8afd64fe184ed250c6fa7482e2279
github.com/apache/ozone/pull/2144
github.com/CVEProject/cvelist/pull/1455
issues.apache.org/jira/browse/HDDS-5087
lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E
lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa@%3Cdev.ozone.apache.org%3E