CVE-2020-17517: Ozone S3 Gateway allows bucket and key access to non authenticated users
First published: Tue Apr 27 2021(Updated: )
The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Ozone | <1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-17517?
The severity of CVE-2020-17517 is high with a value of 7.5.
How does CVE-2020-17517 affect Apache Ozone?
CVE-2020-17517 affects Apache Ozone versions up to and including 1.1.0.
What is the impact of CVE-2020-17517?
The impact of CVE-2020-17517 is unauthorized access to S3 buckets and keys in a secure Apache Ozone Cluster.
How can I fix CVE-2020-17517?
To fix CVE-2020-17517, ensure that S3 buckets and keys in the Apache Ozone Cluster are inaccessible to anonymous access by default.
What is CWE-306 and CWE-285?
CWE-306 is Misconfiguration and CWE-285 is Improper Authorization.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/title
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/apache
- canonical/apache ozone