oss-sec mailing list archives
CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated
From: Siddharth Wagle <swagle () apache org>
Date: Thu, 18 Nov 2021 23:07:24 +0000
Description: Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. This issue is being tracked as HDDS-4763 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue.
Current thread:
- CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated Siddharth Wagle (Nov 19)