Ivan Zlenko

**Name of the Vulnerable Software and Affected Versions** Apache Ozone version 1.4.0 **Description** The issue is related to improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone. This allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user, but only if specific conditions are met: `ozone.s3g.secret.http.enabled` is set to true and the user configured in `ozone.s3g.kerberos.principal` is also configured in `ozone.s3.administrators` or `ozone.administrators`. **Recommendations** Upgrade to Apache Ozone version 1.4.1, which disables the affected endpoint. As a temporary workaround, consider setting `ozone.s3g.secret.http.enabled` to false to prevent exploitation. Restrict access to the S3 Gateway to minimize the risk of unauthorized S3 secret regeneration.