Cyber Resilience

CVE-2020-17517

High

Published: 27 April 2021

Published
27 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0042 62.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-17517 is a high-severity Improper Authorization (CWE-285) vulnerability in Apache Ozone. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables…

more

unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
ozone
≤ 1.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-285

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-285 CWE-306

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

addresses: CWE-285 CWE-306

Ensures authorization decisions are always performed by a complete and analyzable reference monitor.

addresses: CWE-285 CWE-306

Auditing session actions allows identification of improper authorization decisions and enforcement failures.

addresses: CWE-285 CWE-306

The process verifies authorization mechanisms function as intended before system approval.

addresses: CWE-285 CWE-306

By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality.

addresses: CWE-285 CWE-306

Dedicated authorization servers support policy-based decisions, mitigating improper authorization.

addresses: CWE-285 CWE-306

Protecting the shutoff from unauthorized activation enforces proper authorization for this critical operation.

References