org.apache.ozone:ozone-main (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.ozone:ozone-main, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2021-36372 — CVSS 9.8 (critical): In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with…
CVE-2021-39231 — CVSS 9.1 (critical): In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible…
CVE-2021-39233 — CVSS 9.1 (critical): In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be…
CVE-2021-39232 — CVSS 8.8 (high): In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.
CVE-2021-39234 — CVSS 6.8 (medium): In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access…
CVE-2021-39235 — CVSS 6.5 (medium): In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid…
CVE-2021-41532 — CVSS 5.3 (medium): In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user…
CVE-2023-39196 — CVSS 5.3 (medium): Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage…