Unauthenticated access to Ozone Recon HTTP endpoints
Description
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone before 1.2.0, Recon HTTP endpoints expose OM, SCM, and Datanode metadata to unauthenticated users.
Vulnerability
Apache Ozone before version 1.2.0 contains a vulnerability in the Recon HTTP endpoints, which are designed to provide access to metadata from Ozone Manager (OM), Storage Container Manager (SCM), and Datanodes. Due to a missing authentication check, any unauthenticated user can retrieve this metadata [1][2].
Exploitation
An attacker with network access to the Recon HTTP endpoints can simply send requests without any authentication or prior knowledge, gaining access to the metadata [1]. No special privileges or user interaction are required.
Impact
Successful exploitation leads to unauthorized disclosure of confidential metadata from OM, SCM, and Datanode, including cluster topology and operational data, which could aid further attacks [1][2].
Mitigation
The issue is fixed in Apache Ozone version 1.2.0, released in November 2021. Users should upgrade to this version or later to mitigate the vulnerability [2]. There is no known workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: Everglades (1.1.0)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gc37-9g7f-96fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41532ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/8ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.