CVE-2021-41532— Unauthenticated access to Ozone Recon HTTP endpoints
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-41532
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthenticated access to Ozone Recon HTTP endpoints
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Ozone 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Ozone是一个应用软件。一个面向Hadoop和云原生环境的可伸缩,冗余和分布式对象存储。 Apache Ozone 中存在访问控制错误漏洞,该漏洞源于产品未对OM、SCM和Datanode元数据的访问添加有效的权限。攻击者可通过该漏洞访问敏感数据。以下产品及版本受到影响:Apache Ozone 1.2.0之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Ozone | Everglades (1.1.0) ~ 1.1.0 | - |
II. Public POCs for CVE-2021-41532
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-41532
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2021-11-19 · 8 CVEs total
| CVE-2021-39236 | Owners of the S3 tokens are not validated | |
| CVE-2021-39235 | Access mode of block tokens are not enforced | |
| CVE-2021-39234 | Raw block data can be read bypassing ACL/authorization | |
| CVE-2021-39233 | Container-related datanode operations can be called without authorization | |
| CVE-2021-39232 | Missing admin check for SCM related admin commands | |
| CVE-2021-39231 | Missing authentication/authorization on internal RPC endpoints | |
| CVE-2021-36372 | Original block tokens are persisted and can be retrieved |
IV. Related Vulnerabilities
Same product: Apache Ozone
- CVE-2024-45106
Apache Ozone: Improper authentication when generating S3 sec - CVE-2023-39196
Apache Ozone: Missing mutual TLS authentication in one of th - CVE-2021-39236
Owners of the S3 tokens are not validated - CVE-2021-39235
Access mode of block tokens are not enforced - CVE-2021-39234
Raw block data can be read bypassing ACL/authorization
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2021-41532
No comments yet