CVE-2021-39235 — Incorrect permissions in Apache Ozone

Description

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

How to fix CVE-2021-39235

To remediate CVE-2021-39235, upgrade the affected package to a fixed version below.

Maven/org.apache.ozone:ozone-main—upgrade to 1.2.0 or later

Is CVE-2021-39235 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39235
PATCHgithub.com/apache/ozone
WEBmail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E
WEBwww.openwall.com/lists/oss-security/2021/11/19/6