CVE-2021-36372
Improper Privilege Management in Apache Ozone
9.8
CRITICAL
CVSS 3.1
EPSS 0.34%
Description
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
How to fix CVE-2021-36372
To remediate CVE-2021-36372, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.0 or later
Is CVE-2021-36372 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |