CVE-2020-17517— Ozone S3 Gateway allows bucket and key access to non authenticated users
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-17517
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ozone S3 Gateway allows bucket and key access to non authenticated users
Source: NVD (National Vulnerability Database)
Vulnerability Description
The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Ozone 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Ozone是一个应用软件。一个面向Hadoop和云原生环境的可伸缩,冗余和分布式对象存储。 Apache Ozone Cluster 1.0.0版本及之前版本存在访问控制错误漏洞,该漏洞允许通过curl命令或未经身份验证的HTTP请求访问键和桶。这允许对桶和密钥进行未经授权的访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Ozone | Apache Ozone ~ 1.0.0 | - |
II. Public POCs for CVE-2020-17517
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-17517
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2021-04-27 · 5 CVEs total
| CVE-2021-30128 | Unsafe deserialization in Apache OFBiz | |
| CVE-2021-29200 | RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI | |
| CVE-2021-30638 | An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5 | |
| CVE-2021-28125 | Apache Superset Open Redirect |
IV. Related Vulnerabilities
Same product: Apache Ozone
- CVE-2024-45106
Apache Ozone: Improper authentication when generating S3 sec - CVE-2023-39196
Apache Ozone: Missing mutual TLS authentication in one of th - CVE-2021-41532
Unauthenticated access to Ozone Recon HTTP endpoints - CVE-2021-39236
Owners of the S3 tokens are not validated - CVE-2021-39235
Access mode of block tokens are not enforced
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-285
- CVE-2026-8241
Industrial Application Software IAS Canias ERP RMI iasGetSer - CVE-2026-42202
nova-toggle-5: Improper authorization on toggle endpoint all - CVE-2026-33823
Microsoft Team Events Portal Information Disclosure Vulnerab - CVE-2026-41572
Note Mark: Unauthenticated read of notes and assets in soft- - CVE-2026-7713
crocodilestick Calibre-Web-Automated Kobo auth-token Route k
V. Comments for CVE-2020-17517
No comments yet