CVE-2020-17517 - OpenCVE

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ozone

Configuration 1 [-]

cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-04-27T08:22:22

Updated: 2024-08-04T14:00:48.532Z

Reserved: 2020-08-12T00:00:00

Link: CVE-2020-17517

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-27T09:15:07.867

Modified: 2022-08-05T17:12:46.173

Link: CVE-2020-17517

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Ozone", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.0.0", "status": "affected", "version": "Apache Ozone", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Ozone would like to thank Kota Uenishi for reporting this issue."}], "descriptions": [{"lang": "en", "value": "The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-05T19:13:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Ozone S3 Gateway allows bucket and key access to non authenticated users ", "workarounds": [{"lang": "en", "value": "Upgrade to the latest Apache Ozone 1.1.0 release."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-17517", "STATE": "PUBLIC", "TITLE": "Ozone S3 Gateway allows bucket and key access to non authenticated users "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Ozone", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Ozone", "version_value": "1.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Ozone would like to thank Kota Uenishi for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Upgrade to the latest Apache Ozone 1.1.0 release."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.532Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-17517", "datePublished": "2021-04-27T08:22:22", "dateReserved": "2020-08-12T00:00:00", "dateUpdated": "2024-08-04T14:00:48.532Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ozone:*:*:*:*:*:*:*:*", "matchCriteriaId": "340A4DAF-2644-4011-9E80-F34F5D7411A4", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release."}, {"lang": "es", "value": "Los dep\u00f3sitos y claves de S3 en un Apache Ozone Cluster seguro deben ser inaccesibles para el acceso an\u00f3nimo por defecto. La vulnerabilidad de seguridad actual permite el acceso a claves y dep\u00f3sitos por medio de un comando curl o una petici\u00f3n HTTP no autenticada. Esto permite el acceso no autorizado a dep\u00f3sitos y claves, exponiendo as\u00ed los datos a clientes o usuarios an\u00f3nimos. Esto afect\u00f3 a Apache Ozone anterior a la versi\u00f3n 1.1.0"}], "id": "CVE-2020-17517", "lastModified": "2022-08-05T17:12:46.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-27T09:15:07.867", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rdd59a176b32c63f7fc0865428bf9bbc69297fa17f6130c80c25869aa%40%3Cdev.ozone.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@apache.org", "type": "Secondary"}]}