org.apache.hadoop:hadoop-ozone-common is vulnerable to privilege escalation. An authenticated attacker is able to gain privileges to access other user blocks via a specifically crafted request when the attacker knows the ID of the existing user block, bypassing other security checks like access control lists.
www.openwall.com/lists/oss-security/2021/11/19/5
github.com/apache/ozone/commit/057f0a0e11a92c82ad4ba168e737fa5250188a7f
github.com/apache/ozone/pull/2108
issues.apache.org/jira/browse/HDDS-5061
mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3E
www.openwall.com/lists/oss-security/2021/11/19/5