Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if:
* ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false.
* The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.
Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.
Metrics
Affected Vendors & Products
References
History
Tue, 03 Dec 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache ozone |
|
CPEs | cpe:2.3:a:apache:ozone:1.4.0:-:*:*:*:*:*:* | |
Vendors & Products |
Apache Software Foundation
Apache Software Foundation apache Ozone |
Apache
Apache ozone |
Tue, 03 Dec 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache Software Foundation
Apache Software Foundation apache Ozone |
|
Weaknesses | CWE-863 | |
CPEs | cpe:2.3:a:apache_software_foundation:apache_ozone:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache Software Foundation
Apache Software Foundation apache Ozone |
|
Metrics |
cvssV3_1
|
Tue, 03 Dec 2024 10:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Tue, 03 Dec 2024 09:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint. | |
Title | Apache Ozone: Improper authentication when generating S3 secrets | |
Weaknesses | CWE-287 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-12-03T09:06:23.356Z
Updated: 2024-12-03T15:52:28.971Z
Reserved: 2024-08-21T21:51:31.318Z
Link: CVE-2024-45106
Vulnrichment
Updated: 2024-12-03T10:03:38.771Z
NVD
Status : Received
Published: 2024-12-03T10:15:05.697
Modified: 2024-12-03T15:15:10.470
Link: CVE-2024-45106
Redhat
No data.