Missing admin check for SCM related admin commands
Description
In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone <1.2.0, any authenticated user can execute admin SCM commands due to missing authorization checks.
Vulnerability
In Apache Ozone versions prior to 1.2.0, certain admin-related Storage Container Manager (SCM) commands lack proper authorization checks, allowing any authenticated user to execute them instead of only administrators [1]. This affects all releases before 1.2.0.
Exploitation
An attacker needs only valid authentication credentials to the Ozone cluster. No additional privileges are required. The attacker can issue SCM admin commands via the command-line interface or API, bypassing the intended admin-only restriction [3].
Impact
Successful exploitation enables an authenticated non-admin user to perform administrative operations on the SCM, potentially leading to unauthorized configuration changes, data exposure, or disruption of storage services. The exact impact depends on the specific commands executed.
Mitigation
Upgrade to Apache Ozone version 1.2.0, which includes the fix for this issue (tracked as HDDS-4530) [3]. No workarounds are documented for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-ff84-84q5-fq4fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39232ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/3ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.