Original block tokens are persisted and can be retrieved
Description
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone before 1.2.0, initial block tokens persist in the metadata database, letting authenticated users reuse tokens after access is revoked.
Vulnerability
In Apache Ozone versions prior to 1.2.0, the initial block tokens generated for data access are persisted to the metadata database. These tokens can be retrieved by any authenticated user who has permission to the associated key. The tokens remain valid and usable even after the user's access to the key has been revoked. This issue is tracked as HDDS-5315 [3].
Exploitation
An attacker must first be an authenticated user with permission to a key in Apache Ozone. Once authenticated, the attacker can retrieve the persisted block tokens from the metadata database for that key. No additional privileges or race conditions are required; the tokens are stored and retrievable through normal API operations [1][3].
Impact
A successful attacker can continue to access the data blocks associated with the key even after their access rights have been revoked. This leads to unauthorized data disclosure or modification, depending on the permissions originally granted. The core impact is a breach of access control, allowing an authenticated user to circumvent token-based security enforcement [1][3].
Mitigation
Upgrade to Apache Ozone version 1.2.0, which resolves the issue. No workarounds have been provided for earlier versions. The vendor credits Marton Elek for reporting the vulnerability [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-86fh-j58m-7pf5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36372ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/1ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.