hadoop-ozone-recon is vulnerable to information disclosure. The vulnerability exists because Recon NSSummaryEndpoint
and ContainerEndpoint
are not restricted only for admin which allows an attacker to access data from the end points.
www.openwall.com/lists/oss-security/2021/11/19/8
github.com/apache/ozone/commit/fc61be54b837006aae8c2127d9dd88d69aa52b6e
github.com/apache/ozone/pull/2638
issues.apache.org/jira/browse/HDDS-5691
mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E