CVE-2021-36372 is a vulnerability in Apache Ozone
Published on November 19, 2021
Original block tokens are persisted and can be retrieved
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
Weakness Type
Improper Check for Dropped Privileges
The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.
Products Associated with CVE-2021-36372
Want to know whenever a new CVE is published for Apache Ozone? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Ozone:- Version 1.1, <= 1.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.