Access mode of block tokens are not enforced
Description
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone before 1.2.0, Datanode does not enforce block token access mode, allowing READ token holders to perform write operations.
Vulnerability
In Apache Ozone versions prior to 1.2.0, the Ozone Datanode fails to check the access mode parameter of the block token. This allows an authenticated user who possesses a valid READ block token to perform any write operation on the same block. The issue is tracked as HDDS-4558 and HDDS-4644. [2][3]
Exploitation
An attacker must be an authenticated user with a valid READ block token for a specific block. No additional privileges or user interaction beyond authentication are required. The attacker can then issue write operations (e.g., modify or overwrite data) on that block by exploiting the missing access mode enforcement in the Datanode. [2][3]
Impact
Successful exploitation enables an attacker to write arbitrary data to a block for which they only have a READ token. This compromises the integrity and availability of data, as the attacker can corrupt or modify stored objects. Confidentiality is not directly affected. The privilege level is that of an authenticated user with a valid token. [1][2][3]
Mitigation
The vulnerability is fixed in Apache Ozone version 1.2.0, released on 2021-11-19. Users should upgrade to this version or later. No workarounds are documented in the available references. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c6j7-4fr9-c76pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39235ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/6ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C93f88246-4320-7423-0dac-ec7a07f47455%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.