cvelist/2021/39xxx/CVE-2021-39235.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-39235",
        "STATE": "PUBLIC",
        "TITLE": "Access mode of block tokens are not enforced"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Apache Ozone",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "1.0",
                                            "version_value": "1.0"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Apache Software Foundation"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": [
        {}
    ],
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "cwe-1220 Insufficient Granularity of Access Control "
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "refsource": "MISC",
                "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E",
                "name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[oss-security] 20211118 CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced",
                "url": "http://www.openwall.com/lists/oss-security/2021/11/19/6"
            }
        ]
    },
    "source": {
        "defect": [
            "HDDS-4558",
            "HDDS-4644"
        ],
        "discovery": "UNKNOWN"
    },
    "work_around": [
        {
            "lang": "eng",
            "value": "Upgrade to Apache Ozone release version 1.2.0"
        }
    ]
}