Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.
History

Tue, 03 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ozone
CPEs cpe:2.3:a:apache_software_foundation:apache_ozone:*:*:*:*:*:*:*:* cpe:2.3:a:apache:ozone:1.4.0:-:*:*:*:*:*:*
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Ozone
Apache
Apache ozone

Tue, 03 Dec 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache Software Foundation
Apache Software Foundation apache Ozone
Weaknesses CWE-863
CPEs cpe:2.3:a:apache_software_foundation:apache_ozone:*:*:*:*:*:*:*:*
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Ozone
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 03 Dec 2024 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 03 Dec 2024 09:30:00 +0000

Type Values Removed Values Added
Description Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.
Title Apache Ozone: Improper authentication when generating S3 secrets
Weaknesses CWE-287
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-12-03T09:06:23.356Z

Updated: 2024-12-03T15:52:28.971Z

Reserved: 2024-08-21T21:51:31.318Z

Link: CVE-2024-45106

cve-icon Vulnrichment

Updated: 2024-12-03T10:03:38.771Z

cve-icon NVD

Status : Received

Published: 2024-12-03T10:15:05.697

Modified: 2024-12-03T15:15:10.470

Link: CVE-2024-45106

cve-icon Redhat

No data.