Ozone S3 Gateway allows bucket and key access to non authenticated users
CVE-2020-17517

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Ozone
Vendor: CVE Published:; 27 April 2021

Summary

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

Affected Version(s)

Apache Ozone Apache Ozone <= 1.0.0

References

https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 27, 2021
Vulnerability Reserved
Aug 12, 2020

Credit

Apache Ozone would like to thank Kota Uenishi for reporting this issue.