CVE-2023-39196: 
Java vulnerability analysis and mitigation

Improper Authentication vulnerability identified in Apache Ozone (CVE-2023-39196) affects versions 1.2.0 through 1.3.0. The vulnerability was disclosed on February 7, 2024, and allows attackers to download internal metadata from the Storage Container Manager service without proper authentication (OSS Security, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and only impacts confidentiality at a low level. The weakness has been categorized as CWE-287 (Improper Authentication) (NVD).

The impact of this vulnerability is limited to unauthorized access to metadata within the Storage Container Manager service. Importantly, the accessible metadata does not contain sensitive information that could be leveraged for further system exploitation, and the vulnerability does not provide access to actual user data within Ozone. Additionally, the vulnerability does not allow attackers to perform any modifications within the Ozone Storage Container Manager service (OSS Security).

Users are recommended to upgrade to Apache Ozone version 1.4.0, which contains the fix for this vulnerability. This is the primary and recommended mitigation strategy (OSS Security).