CVE-2023-39196

low-risk
Published 2024-02-07

Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ozone

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/02/07/2
Issue Tracking https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky
Mailing List http://www.openwall.com/lists/oss-security/2024/02/07/2
Issue Tracking https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal