Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints
Description
Improper Authentication vulnerability in Apache Ozone.
The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-39196: Apache Ozone 1.2.0 through 1.3.0 has an improper authentication flaw in a Storage Container Manager endpoint, allowing metadata download without authentication.
Vulnerability
Overview
CVE-2023-39196 is an improper authentication vulnerability in Apache Ozone affecting versions 1.2.0 through 1.3.0. The root cause is a missing mutual TLS authentication check in one of the internal endpoints of the Storage Container Manager service [1][3]. This allows an unauthenticated attacker to download metadata that is internal to the Storage Container Manager.
Exploitation and
Impact
An attacker can exploit this vulnerability by sending requests to the affected endpoint without any authentication [3]. The attacker cannot modify any data within the Storage Container Manager using this vulnerability. The accessible metadata does not contain sensitive information that could be used for further exploitation, nor does it allow access to actual user data within Ozone [1]. Thus, the impact is limited to unauthorized information disclosure of non-sensitive metadata.
Mitigation
The Apache Ozone project has released version 1.4.0, which fixes the vulnerability by properly enforcing authentication for the affected endpoint [1][3]. Users running versions 1.2.0 through 1.3.0 are recommended to upgrade to 1.4.0 or later to remediate the issue [1][3]. No workarounds or patches for earlier versions have been mentioned.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | >= 1.2.0, < 1.4.0 | 1.4.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6726-2rx3-cgwhghsaADVISORY
- lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nkyghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-39196ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/07/2ghsaWEB
News mentions
0No linked articles in our index yet.