CVE-2021-39235

Summary

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Ozone1.0 <= 1.0affected

Weaknesses

  • CWE-732: CWE-732 Incorrect Permission Assignment for Critical Resource

Workarounds

Upgrade to Apache Ozone release version 1.2.0

ADP Enrichment

CVE Program Container

Additional References

References