CVE-2024-45106

CVSS 3.1 Score 8.1 of 10 (high)

Details

Published Dec 3, 2024
CWE ID 287
CWE ID 863

Summary

CVE-2024-45106 is a vulnerability in Apache Ozone 1.4.0's S3 Gateway that allows authenticated Kerberos users to manipulate the S3 secrets of other users. This occurs due to improper authentication of an HTTP endpoint. For this attack, two prerequisites must be met: the configuration option 'ozone.s3g.secret.http.enabled' is set to true, and the attacker's user principal is also listed in 'ozone.s3.administrators' or 'ozone.administrators'. Upgrading to Apache Ozone version 1.4.1 is advised as it disables the affected endpoint, mitigating this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share