Description

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.

INFO

Published Date :

2024-12-03T09:06:23.356Z

Last Modified :

2024-12-03T15:52:28.971Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45106 vulnerability.

Vendors Products
Apache
  • Ozone
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45106.

URL Resource
http://www.openwall.com/lists/oss-security/2024/12/02/1 cve-icon
https://lists.apache.org/thread/rylnxwttp004kvotpk9j158vb238pfkm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact