CVE-2021-36372

EPSS 0.63%
Published 19.11.2021 10:15:07
Last modified 21.11.2024 06:13:37
Source security@apache.org
Teams watchlist Login
Open Login

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Ozone Version < 1.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.693

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

http://www.openwall.com/lists/oss-security/2021/11/19/1

Third Party Advisory

https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E

Vendor Advisory

Mailing List

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-36372

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-36372

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-36372

EUVD