CVE-2021-36372

EPSS 0.46%
Veröffentlicht 19.11.2021 10:15:07
Zuletzt bearbeitet 21.11.2024 06:13:37
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Original block tokens are persisted and can be retrieved

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Ozone Version < 1.2.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.644

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

http://www.openwall.com/lists/oss-security/2021/11/19/1

Third Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Vendor Advisory

Mailing List

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-36372

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-36372

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-36372

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-36372