CVE-2021-39236— Owners of the S3 tokens are not validated
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-39236
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Owners of the S3 tokens are not validated
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Ozone 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Ozone是一个应用软件。一个面向Hadoop和云原生环境的可伸缩,冗余和分布式对象存储。 Apache Ozone 中存在授权问题漏洞,该漏洞源于产品未对OM请求进行有效的权限保护。攻击者可通过有效的Ozone S3凭证创建特定的OM请求模拟其他用用户。以下产品及版本受到影响:Apache Ozone 1.2.0 之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Ozone | 1.0 ~ 1.0 | - |
II. Public POCs for CVE-2021-39236
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-39236
请登录查看更多情报信息。
- https://issues.apache.org/jira/browse/HDDS-4763issue-tracking
- https://nvd.nist.gov/vuln/detail/CVE-2021-39236
Same Patch Batch · Apache Software Foundation · 2021-11-19 · 8 CVEs total
| CVE-2021-41532 | Unauthenticated access to Ozone Recon HTTP endpoints | |
| CVE-2021-39235 | Access mode of block tokens are not enforced | |
| CVE-2021-39234 | Raw block data can be read bypassing ACL/authorization | |
| CVE-2021-39233 | Container-related datanode operations can be called without authorization | |
| CVE-2021-39232 | Missing admin check for SCM related admin commands | |
| CVE-2021-39231 | Missing authentication/authorization on internal RPC endpoints | |
| CVE-2021-36372 | Original block tokens are persisted and can be retrieved |
IV. Related Vulnerabilities
Same product: Apache Ozone
- CVE-2024-45106
Apache Ozone: Improper authentication when generating S3 sec - CVE-2023-39196
Apache Ozone: Missing mutual TLS authentication in one of th - CVE-2021-41532
Unauthenticated access to Ozone Recon HTTP endpoints - CVE-2021-39235
Access mode of block tokens are not enforced - CVE-2021-39234
Raw block data can be read bypassing ACL/authorization
Same vendor: Apache Software Foundation
- CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod - CVE-2026-45205
Apache Commons Configuration: StackOverflowError for YAML in - CVE-2026-43515
Apache Tomcat: Security constraints not correctly applied - CVE-2026-43514
Apache Tomcat: AJP secret compared in non-constant time - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit
Same weakness: CWE-862
- CVE-2026-2031
Google Cloud Application Integration: Exposed internal APIs - CVE-2026-7563
Classified Listing <= 5.3.10 - Missing Authorization to Auth - CVE-2026-4683
Smartcat Translator for WPML <= 3.1.77 - Missing Authorizati - CVE-2026-4094
FOX – Currency Switcher Professional for WooCommerce <= 1.4. - CVE-2026-6472
PostgreSQL CREATE TYPE does not check multirange schema CREA
V. Comments for CVE-2021-39236
No comments yet