Vulnerability Details CVE-2021-39231
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.019
EPSS Ranking 82.5%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 6.4
References
- http://www.openwall.com/lists/oss-security/2021/11/19/2
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/11/19/2
- https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
Products affected by CVE-2021-39231
-
cpe:2.3:a:apache:ozone:-
-
cpe:2.3:a:apache:ozone:0.4.2
-
cpe:2.3:a:apache:ozone:0.5.0
-
cpe:2.3:a:apache:ozone:1.0.0
-
cpe:2.3:a:apache:ozone:1.1.0