CVE-2021-39232

Description

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

How to fix CVE-2021-39232

To remediate CVE-2021-39232, upgrade the affected package to a fixed version below.

• Maven/org.apache.ozone:ozone-main—upgrade to 1.2.0 or later

Is CVE-2021-39232 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39232
• PATCHgithub.com/apache/ozone
• WEBmail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E
• WEBwww.openwall.com/lists/oss-security/2021/11/19/3