PT-2024-12779 · Apache · Apache Ozone

István Fajth

Published

2024-02-07

Updated

2024-02-16

CVE-2023-39196

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Ozone versions 1.2.0 through 1.3.0

Description The issue allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to make any modifications within the Ozone Storage Container Manager service using this issue. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.

Recommendations For Apache Ozone versions 1.2.0 through 1.3.0, upgrade to version 1.4.0, which fixes the issue.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2023-39196

GHSA-6726-2RX3-CGWH

Affected Products

Apache Ozone

PT-2024-12779 · Apache · Apache Ozone

CVE-2023-39196

Weakness Enumeration

Related Identifiers

Affected Products

References · 9