Vulnerability Details : CVE-2021-36372
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Products affected by CVE-2021-36372
- cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-36372
0.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-36372
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-36372
-
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2021-36372
-
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E
CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrievedMailing List;Mitigation;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/11/19/1
oss-security - CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrievedThird Party Advisory
Jump to