Raw block data can be read bypassing ACL/authorization
Description
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone before 1.2.0, authenticated users can bypass ACLs and read raw block data by crafting requests with known block IDs.
Vulnerability
In Apache Ozone versions prior to 1.2.0, a vulnerability exists in the block access handling. Authenticated users who know the ID of an existing block can craft specific requests to access those blocks, bypassing other security checks like ACLs [1][2]. This issue is tracked as HDDS-5061 [2].
Exploitation
An attacker must be an authenticated user of the Apache Ozone instance and possess knowledge of a target block's ID. With this information, the attacker can craft a request that directly accesses the block data, circumventing the ACL validation that would normally restrict access [1][2].
Impact
Successful exploitation allows the attacker to read raw block data without proper authorization, leading to unauthorized information disclosure. The attacker gains access to data that should have been protected by ACLs, potentially exposing sensitive information stored in those blocks [1][2].
Mitigation
Apache Ozone released version 1.2.0 which fixes this vulnerability. Users should upgrade to Apache Ozone 1.2.0 or later [2]. No workaround is mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c8cw-2c5j-xff3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39234ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/5ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C97d65498-7f8c-366f-1bea-5a74b6378f0d%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.