NVD

Vulnerability Change Records for CVE-2024-45106

Change History

CVE Modified by CVE 12/03/2024 5:15:05 AM

Action	Type	Old Value	New Value
Added	Reference		http://www.openwall.com/lists/oss-security/2024/12/02/1

New CVE Received from Apache Software Foundation 12/03/2024 5:15:05 AM

Action

Type

Old Value

New Value

Added

Description

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if:
  *  ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false.
  *  The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.


Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.

Added

CWE

CWE-287

Added

Reference

https://lists.apache.org/thread/rylnxwttp004kvotpk9j158vb238pfkm

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Vulnerability Change Records for CVE-2024-45106

Change History

CVE Modified by CVE 12/03/2024 5:15:05 AM

New CVE Received from Apache Software Foundation 12/03/2024 5:15:05 AM