CVE-2021-36372

EPSS 0.63%
Veröffentlicht 19.11.2021 10:15:07
Zuletzt bearbeitet 21.11.2024 06:13:37
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Ozone Version < 1.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.63%	0.693

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

http://www.openwall.com/lists/oss-security/2021/11/19/1

Third Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Vendor Advisory

Mailing List

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-36372

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-36372

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-36372

EUVD