Search criteria
28 vulnerabilities found for storm by apache
CVE-2026-41081 (GCVE-0-2026-41081)
Vulnerability from nvd – Published: 2026-04-27 13:10 – Updated: 2026-04-27 14:43
VLAI
Title
Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Summary
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm
Versions Affected: up to 2.8.7
Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.
This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.
Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.
Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.
Users who cannot upgrade immediately should:
- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)
- Ensure authorization rules explicitly deny access to CN=ANONYMOUS
- Review all ACL configurations for implicit default-allow behavior
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm Client |
Affected:
0 , < 2.8.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-27T13:36:46.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/25/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-41081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T14:42:46.312578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:43:31.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-client",
"product": "Apache Storm Client",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eImproper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVersions Affected:\u003c/b\u003e up to 2.8.7\u003cbr\u003e\u003cbr\u003e\u003cb\u003eDescription: \u003c/b\u003eWhen TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\u003cbr\u003e\u003cbr\u003eThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eImpact:\u003c/b\u003e Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eMitigation:\u003c/b\u003e Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eUsers who cannot upgrade immediately should:\u003c/b\u003e\u003cbr\u003e- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\u003cbr\u003e- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\u003cbr\u003e- Review all ACL configurations for implicit default-allow behavior\u003cbr\u003e"
}
],
"value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:10:45.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41081",
"datePublished": "2026-04-27T13:10:45.886Z",
"dateReserved": "2026-04-16T17:22:43.617Z",
"dateUpdated": "2026-04-27T14:43:31.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35565 (GCVE-0-2026-35565)
Vulnerability from nvd – Published: 2026-04-13 09:10 – Updated: 2026-04-13 14:10
VLAI
Title
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Summary
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI
Versions Affected: before 2.8.6
Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.
In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.
Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered while investigating another report by K.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm UI |
Affected:
0 , < 2.8.6
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T09:40:05.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T14:09:39.740938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:10:07.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-webapp",
"product": "Apache Storm UI",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eStored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eVersions Affected:\u003c/strong\u003e before 2.8.6\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via \u003ccode\u003einnerHTML\u003c/code\u003e in \u003ccode\u003eparseNode()\u003c/code\u003e and \u003ccode\u003eparseEdge()\u003c/code\u003e without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an \u003ccode\u003eonerror\u003c/code\u003e event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin\u0027s browser session.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\u0026nbsp;2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the \u003ccode\u003eparseNode()\u003c/code\u003e and \u003ccode\u003eparseEdge()\u003c/code\u003e functions in the visualization JavaScript file to HTML-escape all API-supplied values including \u003ccode\u003enodeId\u003c/code\u003e, \u003ccode\u003e:capacity\u003c/code\u003e, \u003ccode\u003e:latency\u003c/code\u003e, \u003ccode\u003e:component\u003c/code\u003e, \u003ccode\u003e:stream\u003c/code\u003e, and \u003ccode\u003e:grouping\u003c/code\u003e\u0026nbsp;before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u0026nbsp;A guide on how to do this is available in the release notes of 2.8.6.\u003c/p\u003e\u003cb\u003eCredit:\u003c/b\u003e This issue was discovered while investigating another report by K.\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u00a0\n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin\u0027s browser session.\n\n\nMitigation:\u00a02.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping\u00a0before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u00a0A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T09:10:17.367Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://storm.apache.org/2026/04/12/storm286-released.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-35565",
"datePublished": "2026-04-13T09:10:17.367Z",
"dateReserved": "2026-04-03T15:14:12.281Z",
"dateUpdated": "2026-04-13T14:10:07.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35337 (GCVE-0-2026-35337)
Vulnerability from nvd – Published: 2026-04-13 09:11 – Updated: 2026-04-14 03:55
VLAI
Title
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Summary
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation:
2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered by K.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm Client |
Affected:
0 , < 2.8.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T09:40:03.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T03:55:31.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-client",
"product": "Apache Storm Client",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eDeserialization of Untrusted Data vulnerability in Apache Storm.\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVersions Affected:\u003c/strong\u003e\nbefore 2.8.6.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using \u003ccode\u003eObjectInputStream.readObject()\u003c/code\u003e without any class filtering or validation.\u0026nbsp;An authenticated user with topology submission rights could supply a crafted serialized object in the \u003ccode\u003e\"TGT\"\u003c/code\u003e credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\n2.x users should upgrade to 2.8.6.\u003c/p\u003e\n\u003cp\u003eUsers who cannot upgrade immediately should monkey-patch an \u003ccode\u003eObjectInputFilter\u003c/code\u003e allow-list to \u003ccode\u003eClientAuthUtils.deserializeKerberosTicket()\u003c/code\u003e restricting deserialized classes to \u003ccode\u003ejavax.security.auth.kerberos.KerberosTicket\u003c/code\u003e and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cb\u003eCredit:\u003c/b\u003e This issue was discovered by K.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.\u00a0An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T09:11:06.193Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://storm.apache.org/2026/04/12/storm286-released.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-35337",
"datePublished": "2026-04-13T09:11:06.193Z",
"dateReserved": "2026-04-02T09:21:36.185Z",
"dateUpdated": "2026-04-14T03:55:31.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-43123 (GCVE-0-2023-43123)
Vulnerability from nvd – Published: 2023-11-23 09:16 – Updated: 2025-02-13 17:13
VLAI
Title
Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files
Summary
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.
The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.
File.createTempFile(String, String) will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set.
This affects the class https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 and was introduced by https://issues.apache.org/jira/browse/STORM-3123
In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring
is set to false, but its value is true by default.
Moreover, the temporary file gets deleted soon after its creation.
The solution is to use Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...) instead.
We recommend that all users upgrade to the latest version of Apache Storm.
Severity
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
2.0.0 , < 2.6.0
(maven)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:37:23.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "affected",
"packageName": "storm-core",
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.6.0",
"status": "affected",
"version": "2.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrea Cosentino from Apache Software Foundation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\u003cbr\u003e\u003cbr\u003eThe method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eFile.createTempFile(String, String) will create a temporary file in the system temporary directory if the \u0027java.io.tmpdir\u0027 system property is not explicitly set. \u003cbr\u003e\u003cbr\u003eThis affects the class\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99\"\u003ehttps://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99\u003c/a\u003e\u0026nbsp;and was introduced by\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://issues.apache.org/jira/browse/STORM-3123\"\u003ehttps://issues.apache.org/jira/browse/STORM-3123\u003c/a\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eIn practice, this has a very limited impact as this class is used only if\u0026nbsp;\u003cspan style=\"background-color: rgb(206, 204, 247);\"\u003eui.disable.spout.lag.monitoring\u003c/span\u003e\u003c/div\u003e \u003cdiv\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eis set to false, but its value is true by default.\u003cbr\u003eMoreover, the temporary file gets deleted soon after its creation.\u003cbr\u003e\u003cbr\u003eThe solution is to use\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--hig);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)\"\u003eFiles.createTempFile\u003c/a\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;instead.\u003cbr\u003e\u003cbr\u003eWe recommend that all users upgrade to the latest version of Apache Storm.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.\n\nFile.createTempFile(String, String) will create a temporary file in the system temporary directory if the \u0027java.io.tmpdir\u0027 system property is not explicitly set. \n\nThis affects the class\u00a0 https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 \u00a0and was introduced by\u00a0 https://issues.apache.org/jira/browse/STORM-3123 \n\nIn practice, this has a very limited impact as this class is used only if\u00a0ui.disable.spout.lag.monitoring\n\n is set to false, but its value is true by default.\nMoreover, the temporary file gets deleted soon after its creation.\n\nThe solution is to use\u00a0 Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...) \u00a0instead.\n\nWe recommend that all users upgrade to the latest version of Apache Storm."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T09:20:06.031Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/23/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-43123",
"datePublished": "2023-11-23T09:16:34.705Z",
"dateReserved": "2023-09-18T11:00:41.170Z",
"dateUpdated": "2025-02-13T17:13:14.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40865 (GCVE-0-2021-40865)
Vulnerability from nvd – Published: 2021-10-25 12:22 – Updated: 2024-08-04 02:51
VLAI
Title
Unsafe Pre-Authentication Deserialization In Workers
Summary
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r8d45e742998… | x_refsource_MISC |
| https://seclists.org/oss-sec/2021/q4/45 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
v1.0.0 , < Apache Storm *
(custom)
Affected: Apache Storm , < v1.2.4 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:51:07.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Storm *",
"status": "affected",
"version": "v1.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "v2.1.1",
"status": "unaffected"
},
{
"at": "v2.2.1",
"status": "unaffected"
},
{
"at": "v2.3.0",
"status": "unaffected"
}
],
"lessThan": "v1.2.4",
"status": "affected",
"version": "Apache Storm",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4"
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T12:22:37.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unsafe Pre-Authentication Deserialization In Workers",
"workarounds": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40865",
"STATE": "PUBLIC",
"TITLE": "Unsafe Pre-Authentication Deserialization In Workers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache Storm",
"version_value": "v1.0.0"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"name": "https://seclists.org/oss-sec/2021/q4/45",
"refsource": "MISC",
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40865",
"datePublished": "2021-10-25T12:22:37.000Z",
"dateReserved": "2021-09-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:51:07.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38294 (GCVE-0-2021-38294)
Vulnerability from nvd – Published: 2021-10-25 12:22 – Updated: 2024-08-04 01:37
VLAI
Title
Shell Command Injection Vulnerability in Nimbus Thrift Server
Summary
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Severity
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r5fe881f6ca8… | x_refsource_MISC |
| https://seclists.org/oss-sec/2021/q4/44 | x_refsource_MISC |
| http://packetstormsecurity.com/files/165019/Apach… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
v1.0.0 , < Apache Storm*
(custom)
|
|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm , < v1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Non-Windows"
],
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Storm*",
"status": "affected",
"version": "v1.0.0",
"versionType": "custom"
}
]
},
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"changes": [
{
"at": "v2.1.1",
"status": "unaffected"
},
{
"at": "v2.2.1",
"status": "unaffected"
},
{
"at": "v2.3.0",
"status": "unaffected"
}
],
"lessThan": "v1.2.4",
"status": "affected",
"version": "Apache Storm",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T18:06:14.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Shell Command Injection Vulnerability in Nimbus Thrift Server",
"workarounds": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-38294",
"STATE": "PUBLIC",
"TITLE": "Shell Command Injection Vulnerability in Nimbus Thrift Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"platform": "Non-Windows",
"version_affected": "\u003e=",
"version_name": "Apache Storm",
"version_value": "v1.0.0"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"name": "https://seclists.org/oss-sec/2021/q4/44",
"refsource": "MISC",
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"name": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-38294",
"datePublished": "2021-10-25T12:22:36.000Z",
"dateReserved": "2021-08-09T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:37:16.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0202 (GCVE-0-2019-0202)
Vulnerability from nvd – Published: 2019-07-25 23:17 – Updated: 2024-08-04 17:44
VLAI
Summary
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.
Severity
No CVSS data available.
CWE
- CWE-200 - Information Exposure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/220f1a77ff20… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:14.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Storm",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "0.9.1-incubating to 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host\u0027s file system that were not intended to be accessible via these endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:17:23.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Storm",
"version": {
"version_data": [
{
"version_value": "0.9.1-incubating to 1.2.2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host\u0027s file system that were not intended to be accessible via these endpoints."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0202",
"datePublished": "2019-07-25T23:17:23.000Z",
"dateReserved": "2018-11-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:44:14.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11779 (GCVE-0-2018-11779)
Vulnerability from nvd – Published: 2019-07-25 23:23 – Updated: 2024-08-05 08:17
VLAI
Summary
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/3e4f704c4bd9… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98%40%3Cuser.storm.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Storm",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "1.1.0 to 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:23:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98%40%3Cuser.storm.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11779",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Storm",
"version": {
"version_data": [
{
"version_value": "1.1.0 to 1.2.2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98@%3Cuser.storm.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11779",
"datePublished": "2019-07-25T23:23:01.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1331 (GCVE-0-2018-1331)
Vulnerability from nvd – Published: 2018-07-10 17:00 – Updated: 2024-09-16 17:48
VLAI
Summary
In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://storm.apache.org/2018/06/04/storm122-relea… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2018/07/10/4 | mailing-listx_refsource_MLIST |
| http://storm.apache.org/2018/06/04/storm113-relea… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104732 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1041273 | vdb-entryx_refsource_SECTRACK |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
0.10.0 through 0.10.2
Affected: 1.0.0 through 1.0.6 Affected: 1.1.0 through 1.1.2 Affected: 1.2.0 through 1.2.1 |
Date Public
2018-07-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.10.0 through 0.10.2"
},
{
"status": "affected",
"version": "1.0.0 through 1.0.6"
},
{
"status": "affected",
"version": "1.1.0 through 1.1.2"
},
{
"status": "affected",
"version": "1.2.0 through 1.2.1"
}
]
}
],
"datePublic": "2018-07-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-14T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041273"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-10T00:00:00",
"ID": "CVE-2018-1331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "0.10.0 through 0.10.2"
},
{
"version_value": "1.0.0 through 1.0.6"
},
{
"version_value": "1.1.0 through 1.1.2"
},
{
"version_value": "1.2.0 through 1.2.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://storm.apache.org/2018/06/04/storm122-released.html",
"refsource": "CONFIRM",
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"name": "http://storm.apache.org/2018/06/04/storm113-released.html",
"refsource": "CONFIRM",
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041273"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1331",
"datePublished": "2018-07-10T17:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:48:08.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8008 (GCVE-0-2018-8008)
Vulnerability from nvd – Published: 2018-06-05 19:00 – Updated: 2024-09-16 16:38
VLAI
Summary
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Severity
No CVSS data available.
CWE
- Arbitrary File Write
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/613b2fca8bcd… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104418 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier
|
Date Public
2018-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:11.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104418"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
],
"datePublic": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Write",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-09T09:57:02.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104418"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-06-05T00:00:00",
"ID": "CVE-2018-8008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary File Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58@%3Cdev.storm.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58@%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104418"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8008",
"datePublished": "2018-06-05T19:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:38:31.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1332 (GCVE-0-2018-1332)
Vulnerability from nvd – Published: 2018-06-05 19:00 – Updated: 2024-09-16 16:23
VLAI
Summary
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
Severity
No CVSS data available.
CWE
- User Impersonation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/50f1d6a7af27… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104399 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier
|
Date Public
2018-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
],
"datePublic": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Impersonation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104399"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-06-05T00:00:00",
"ID": "CVE-2018-1332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Impersonation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104399"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1332",
"datePublished": "2018-06-05T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:01.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0115 (GCVE-0-2014-0115)
Vulnerability from nvd – Published: 2017-10-30 16:00 – Updated: 2024-08-06 09:05
VLAI
Summary
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://mail-archives.apache.org/mod_mbox/storm-d… | mailing-listx_refsource_MLIST |
| https://issues.apache.org/jira/browse/STORM-269 | x_refsource_CONFIRM |
Date Public
2014-03-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:38.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645%40arcas%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-30T15:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645%40arcas%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645@arcas%3E"
},
{
"name": "https://issues.apache.org/jira/browse/STORM-269",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0115",
"datePublished": "2017-10-30T16:00:00.000Z",
"dateReserved": "2013-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T09:05:38.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9799 (GCVE-0-2017-9799)
Vulnerability from nvd – Published: 2017-08-09 21:00 – Updated: 2024-09-17 02:06
VLAI
Summary
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.
Severity
No CVSS data available.
CWE
- code execution as a different user.
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/b9125bf507ed… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/100235 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1039116 | vdb-entryx_refsource_SECTRACK |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
1.0.0 through 1.0.3
Affected: 1.1.0 |
Date Public
2017-08-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039116"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 through 1.0.3"
},
{
"status": "affected",
"version": "1.1.0"
}
]
}
],
"datePublic": "2017-08-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "code execution as a different user.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-10T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039116"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-08-09T00:00:00",
"ID": "CVE-2017-9799",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "1.0.0 through 1.0.3"
},
{
"version_value": "1.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "code execution as a different user."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039116"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9799",
"datePublished": "2017-08-09T21:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:16.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3188 (GCVE-0-2015-3188)
Vulnerability from nvd – Published: 2017-01-13 15:00 – Updated: 2024-08-06 05:39
VLAI
Summary
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1032695 | vdb-entryx_refsource_SECTRACK |
| http://www.securityfocus.com/archive/1/535804/100… | mailing-listx_refsource_BUGTRAQ |
| http://packetstormsecurity.com/files/132417/Apach… | x_refsource_MISC |
Date Public
2015-06-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1032695",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1032695",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3188",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1032695",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3188",
"datePublished": "2017-01-13T15:00:00.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:31.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-41081 (GCVE-0-2026-41081)
Vulnerability from cvelistv5 – Published: 2026-04-27 13:10 – Updated: 2026-04-27 14:43
VLAI
Title
Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Summary
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm
Versions Affected: up to 2.8.7
Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.
This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.
Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.
Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.
Users who cannot upgrade immediately should:
- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)
- Ensure authorization rules explicitly deny access to CN=ANONYMOUS
- Review all ACL configurations for implicit default-allow behavior
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm Client |
Affected:
0 , < 2.8.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-27T13:36:46.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/25/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-41081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T14:42:46.312578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:43:31.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-client",
"product": "Apache Storm Client",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eImproper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVersions Affected:\u003c/b\u003e up to 2.8.7\u003cbr\u003e\u003cbr\u003e\u003cb\u003eDescription: \u003c/b\u003eWhen TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\u003cbr\u003e\u003cbr\u003eThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eImpact:\u003c/b\u003e Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eMitigation:\u003c/b\u003e Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eUsers who cannot upgrade immediately should:\u003c/b\u003e\u003cbr\u003e- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\u003cbr\u003e- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\u003cbr\u003e- Review all ACL configurations for implicit default-allow behavior\u003cbr\u003e"
}
],
"value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:10:45.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41081",
"datePublished": "2026-04-27T13:10:45.886Z",
"dateReserved": "2026-04-16T17:22:43.617Z",
"dateUpdated": "2026-04-27T14:43:31.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35337 (GCVE-0-2026-35337)
Vulnerability from cvelistv5 – Published: 2026-04-13 09:11 – Updated: 2026-04-14 03:55
VLAI
Title
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Summary
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation:
2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered by K.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm Client |
Affected:
0 , < 2.8.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T09:40:03.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T03:55:31.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-client",
"product": "Apache Storm Client",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eDeserialization of Untrusted Data vulnerability in Apache Storm.\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVersions Affected:\u003c/strong\u003e\nbefore 2.8.6.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using \u003ccode\u003eObjectInputStream.readObject()\u003c/code\u003e without any class filtering or validation.\u0026nbsp;An authenticated user with topology submission rights could supply a crafted serialized object in the \u003ccode\u003e\"TGT\"\u003c/code\u003e credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\n2.x users should upgrade to 2.8.6.\u003c/p\u003e\n\u003cp\u003eUsers who cannot upgrade immediately should monkey-patch an \u003ccode\u003eObjectInputFilter\u003c/code\u003e allow-list to \u003ccode\u003eClientAuthUtils.deserializeKerberosTicket()\u003c/code\u003e restricting deserialized classes to \u003ccode\u003ejavax.security.auth.kerberos.KerberosTicket\u003c/code\u003e and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cb\u003eCredit:\u003c/b\u003e This issue was discovered by K.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.\u00a0An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T09:11:06.193Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://storm.apache.org/2026/04/12/storm286-released.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-35337",
"datePublished": "2026-04-13T09:11:06.193Z",
"dateReserved": "2026-04-02T09:21:36.185Z",
"dateUpdated": "2026-04-14T03:55:31.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35565 (GCVE-0-2026-35565)
Vulnerability from cvelistv5 – Published: 2026-04-13 09:10 – Updated: 2026-04-13 14:10
VLAI
Title
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Summary
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI
Versions Affected: before 2.8.6
Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.
In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.
Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered while investigating another report by K.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm UI |
Affected:
0 , < 2.8.6
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T09:40:05.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T14:09:39.740938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:10:07.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"packageName": "org.apache.storm:storm-webapp",
"product": "Apache Storm UI",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eStored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eVersions Affected:\u003c/strong\u003e before 2.8.6\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via \u003ccode\u003einnerHTML\u003c/code\u003e in \u003ccode\u003eparseNode()\u003c/code\u003e and \u003ccode\u003eparseEdge()\u003c/code\u003e without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an \u003ccode\u003eonerror\u003c/code\u003e event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin\u0027s browser session.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e\u0026nbsp;2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the \u003ccode\u003eparseNode()\u003c/code\u003e and \u003ccode\u003eparseEdge()\u003c/code\u003e functions in the visualization JavaScript file to HTML-escape all API-supplied values including \u003ccode\u003enodeId\u003c/code\u003e, \u003ccode\u003e:capacity\u003c/code\u003e, \u003ccode\u003e:latency\u003c/code\u003e, \u003ccode\u003e:component\u003c/code\u003e, \u003ccode\u003e:stream\u003c/code\u003e, and \u003ccode\u003e:grouping\u003c/code\u003e\u0026nbsp;before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u0026nbsp;A guide on how to do this is available in the release notes of 2.8.6.\u003c/p\u003e\u003cb\u003eCredit:\u003c/b\u003e This issue was discovered while investigating another report by K.\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus \u2192 Thrift \u2192 the Visualization API \u2192 vis.js tooltip rendering, resulting in stored cross-site scripting.\u00a0\n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin\u0027s browser session.\n\n\nMitigation:\u00a02.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping\u00a0before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure.\u00a0A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T09:10:17.367Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://storm.apache.org/2026/04/12/storm286-released.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-35565",
"datePublished": "2026-04-13T09:10:17.367Z",
"dateReserved": "2026-04-03T15:14:12.281Z",
"dateUpdated": "2026-04-13T14:10:07.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-43123 (GCVE-0-2023-43123)
Vulnerability from cvelistv5 – Published: 2023-11-23 09:16 – Updated: 2025-02-13 17:13
VLAI
Title
Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files
Summary
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.
The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.
File.createTempFile(String, String) will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set.
This affects the class https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 and was introduced by https://issues.apache.org/jira/browse/STORM-3123
In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring
is set to false, but its value is true by default.
Moreover, the temporary file gets deleted soon after its creation.
The solution is to use Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...) instead.
We recommend that all users upgrade to the latest version of Apache Storm.
Severity
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
2.0.0 , < 2.6.0
(maven)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:37:23.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "affected",
"packageName": "storm-core",
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.6.0",
"status": "affected",
"version": "2.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrea Cosentino from Apache Software Foundation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\u003cbr\u003e\u003cbr\u003eThe method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eFile.createTempFile(String, String) will create a temporary file in the system temporary directory if the \u0027java.io.tmpdir\u0027 system property is not explicitly set. \u003cbr\u003e\u003cbr\u003eThis affects the class\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99\"\u003ehttps://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99\u003c/a\u003e\u0026nbsp;and was introduced by\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://issues.apache.org/jira/browse/STORM-3123\"\u003ehttps://issues.apache.org/jira/browse/STORM-3123\u003c/a\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eIn practice, this has a very limited impact as this class is used only if\u0026nbsp;\u003cspan style=\"background-color: rgb(206, 204, 247);\"\u003eui.disable.spout.lag.monitoring\u003c/span\u003e\u003c/div\u003e \u003cdiv\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eis set to false, but its value is true by default.\u003cbr\u003eMoreover, the temporary file gets deleted soon after its creation.\u003cbr\u003e\u003cbr\u003eThe solution is to use\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--hig);\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)\"\u003eFiles.createTempFile\u003c/a\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;instead.\u003cbr\u003e\u003cbr\u003eWe recommend that all users upgrade to the latest version of Apache Storm.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.\n\nFile.createTempFile(String, String) will create a temporary file in the system temporary directory if the \u0027java.io.tmpdir\u0027 system property is not explicitly set. \n\nThis affects the class\u00a0 https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 \u00a0and was introduced by\u00a0 https://issues.apache.org/jira/browse/STORM-3123 \n\nIn practice, this has a very limited impact as this class is used only if\u00a0ui.disable.spout.lag.monitoring\n\n is set to false, but its value is true by default.\nMoreover, the temporary file gets deleted soon after its creation.\n\nThe solution is to use\u00a0 Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...) \u00a0instead.\n\nWe recommend that all users upgrade to the latest version of Apache Storm."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T09:20:06.031Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/23/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-43123",
"datePublished": "2023-11-23T09:16:34.705Z",
"dateReserved": "2023-09-18T11:00:41.170Z",
"dateUpdated": "2025-02-13T17:13:14.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40865 (GCVE-0-2021-40865)
Vulnerability from cvelistv5 – Published: 2021-10-25 12:22 – Updated: 2024-08-04 02:51
VLAI
Title
Unsafe Pre-Authentication Deserialization In Workers
Summary
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r8d45e742998… | x_refsource_MISC |
| https://seclists.org/oss-sec/2021/q4/45 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
v1.0.0 , < Apache Storm *
(custom)
Affected: Apache Storm , < v1.2.4 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:51:07.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Storm *",
"status": "affected",
"version": "v1.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "v2.1.1",
"status": "unaffected"
},
{
"at": "v2.2.1",
"status": "unaffected"
},
{
"at": "v2.3.0",
"status": "unaffected"
}
],
"lessThan": "v1.2.4",
"status": "affected",
"version": "Apache Storm",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4"
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T12:22:37.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unsafe Pre-Authentication Deserialization In Workers",
"workarounds": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40865",
"STATE": "PUBLIC",
"TITLE": "Unsafe Pre-Authentication Deserialization In Workers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache Storm",
"version_value": "v1.0.0"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"name": "https://seclists.org/oss-sec/2021/q4/45",
"refsource": "MISC",
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40865",
"datePublished": "2021-10-25T12:22:37.000Z",
"dateReserved": "2021-09-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:51:07.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38294 (GCVE-0-2021-38294)
Vulnerability from cvelistv5 – Published: 2021-10-25 12:22 – Updated: 2024-08-04 01:37
VLAI
Title
Shell Command Injection Vulnerability in Nimbus Thrift Server
Summary
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Severity
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r5fe881f6ca8… | x_refsource_MISC |
| https://seclists.org/oss-sec/2021/q4/44 | x_refsource_MISC |
| http://packetstormsecurity.com/files/165019/Apach… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
v1.0.0 , < Apache Storm*
(custom)
|
|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm , < v1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Non-Windows"
],
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Storm*",
"status": "affected",
"version": "v1.0.0",
"versionType": "custom"
}
]
},
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"changes": [
{
"at": "v2.1.1",
"status": "unaffected"
},
{
"at": "v2.2.1",
"status": "unaffected"
},
{
"at": "v2.3.0",
"status": "unaffected"
}
],
"lessThan": "v1.2.4",
"status": "affected",
"version": "Apache Storm",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T18:06:14.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Shell Command Injection Vulnerability in Nimbus Thrift Server",
"workarounds": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-38294",
"STATE": "PUBLIC",
"TITLE": "Shell Command Injection Vulnerability in Nimbus Thrift Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"platform": "Non-Windows",
"version_affected": "\u003e=",
"version_name": "Apache Storm",
"version_value": "v1.0.0"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Mu\u00f1oz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"name": "https://seclists.org/oss-sec/2021/q4/44",
"refsource": "MISC",
"url": "https://seclists.org/oss-sec/2021/q4/44"
},
{
"name": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-38294",
"datePublished": "2021-10-25T12:22:36.000Z",
"dateReserved": "2021-08-09T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:37:16.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11779 (GCVE-0-2018-11779)
Vulnerability from cvelistv5 – Published: 2019-07-25 23:23 – Updated: 2024-08-05 08:17
VLAI
Summary
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/3e4f704c4bd9… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98%40%3Cuser.storm.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Storm",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "1.1.0 to 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:23:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98%40%3Cuser.storm.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11779",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Storm",
"version": {
"version_data": [
{
"version_value": "1.1.0 to 1.2.2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-user] 20190724 [CVE-2018-11779] Apache Storm UI Java deserialization vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98@%3Cuser.storm.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11779",
"datePublished": "2019-07-25T23:23:01.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0202 (GCVE-0-2019-0202)
Vulnerability from cvelistv5 – Published: 2019-07-25 23:17 – Updated: 2024-08-04 17:44
VLAI
Summary
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.
Severity
No CVSS data available.
CWE
- CWE-200 - Information Exposure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/220f1a77ff20… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:14.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Storm",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "0.9.1-incubating to 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host\u0027s file system that were not intended to be accessible via these endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:17:23.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Storm",
"version": {
"version_data": [
{
"version_value": "0.9.1-incubating to 1.2.2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host\u0027s file system that were not intended to be accessible via these endpoints."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0202",
"datePublished": "2019-07-25T23:17:23.000Z",
"dateReserved": "2018-11-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:44:14.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1331 (GCVE-0-2018-1331)
Vulnerability from cvelistv5 – Published: 2018-07-10 17:00 – Updated: 2024-09-16 17:48
VLAI
Summary
In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://storm.apache.org/2018/06/04/storm122-relea… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2018/07/10/4 | mailing-listx_refsource_MLIST |
| http://storm.apache.org/2018/06/04/storm113-relea… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104732 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1041273 | vdb-entryx_refsource_SECTRACK |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
0.10.0 through 0.10.2
Affected: 1.0.0 through 1.0.6 Affected: 1.1.0 through 1.1.2 Affected: 1.2.0 through 1.2.1 |
Date Public
2018-07-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.10.0 through 0.10.2"
},
{
"status": "affected",
"version": "1.0.0 through 1.0.6"
},
{
"status": "affected",
"version": "1.1.0 through 1.1.2"
},
{
"status": "affected",
"version": "1.2.0 through 1.2.1"
}
]
}
],
"datePublic": "2018-07-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-14T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041273"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-10T00:00:00",
"ID": "CVE-2018-1331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "0.10.0 through 0.10.2"
},
{
"version_value": "1.0.0 through 1.0.6"
},
{
"version_value": "1.1.0 through 1.1.2"
},
{
"version_value": "1.2.0 through 1.2.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://storm.apache.org/2018/06/04/storm122-released.html",
"refsource": "CONFIRM",
"url": "http://storm.apache.org/2018/06/04/storm122-released.html"
},
{
"name": "[oss-security] 20180710 CVE-2018-1331: Apache Storm remote code execution vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/07/10/4"
},
{
"name": "http://storm.apache.org/2018/06/04/storm113-released.html",
"refsource": "CONFIRM",
"url": "http://storm.apache.org/2018/06/04/storm113-released.html"
},
{
"name": "104732",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104732"
},
{
"name": "1041273",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041273"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1331",
"datePublished": "2018-07-10T17:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:48:08.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1332 (GCVE-0-2018-1332)
Vulnerability from cvelistv5 – Published: 2018-06-05 19:00 – Updated: 2024-09-16 16:23
VLAI
Summary
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
Severity
No CVSS data available.
CWE
- User Impersonation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/50f1d6a7af27… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104399 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier
|
Date Public
2018-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
],
"datePublic": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Impersonation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104399"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-06-05T00:00:00",
"ID": "CVE-2018-1332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Impersonation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E"
},
{
"name": "104399",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104399"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1332",
"datePublished": "2018-06-05T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:01.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8008 (GCVE-0-2018-8008)
Vulnerability from cvelistv5 – Published: 2018-06-05 19:00 – Updated: 2024-09-16 16:38
VLAI
Summary
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Severity
No CVSS data available.
CWE
- Arbitrary File Write
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/613b2fca8bcd… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104418 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier
|
Date Public
2018-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:11.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104418"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
],
"datePublic": "2018-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Write",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-09T09:57:02.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104418"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-06-05T00:00:00",
"ID": "CVE-2018-8008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary File Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58@%3Cdev.storm.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58@%3Cdev.storm.apache.org%3E"
},
{
"name": "104418",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104418"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8008",
"datePublished": "2018-06-05T19:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:38:31.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0115 (GCVE-0-2014-0115)
Vulnerability from cvelistv5 – Published: 2017-10-30 16:00 – Updated: 2024-08-06 09:05
VLAI
Summary
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://mail-archives.apache.org/mod_mbox/storm-d… | mailing-listx_refsource_MLIST |
| https://issues.apache.org/jira/browse/STORM-269 | x_refsource_CONFIRM |
Date Public
2014-03-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:38.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645%40arcas%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-30T15:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645%40arcas%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[storm-dev] 20140429 [jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645@arcas%3E"
},
{
"name": "https://issues.apache.org/jira/browse/STORM-269",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/STORM-269"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0115",
"datePublished": "2017-10-30T16:00:00.000Z",
"dateReserved": "2013-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T09:05:38.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9799 (GCVE-0-2017-9799)
Vulnerability from cvelistv5 – Published: 2017-08-09 21:00 – Updated: 2024-09-17 02:06
VLAI
Summary
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.
Severity
No CVSS data available.
CWE
- code execution as a different user.
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/b9125bf507ed… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/100235 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1039116 | vdb-entryx_refsource_SECTRACK |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Storm |
Affected:
1.0.0 through 1.0.3
Affected: 1.1.0 |
Date Public
2017-08-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039116"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Storm",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 through 1.0.3"
},
{
"status": "affected",
"version": "1.1.0"
}
]
}
],
"datePublic": "2017-08-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "code execution as a different user.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-10T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039116"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-08-09T00:00:00",
"ID": "CVE-2017-9799",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_value": "1.0.0 through 1.0.3"
},
{
"version_value": "1.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "code execution as a different user."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170809 [CVE-2017-9799] Apache Storm Possible Code Execution As A Different User",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E"
},
{
"name": "100235",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100235"
},
{
"name": "1039116",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039116"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9799",
"datePublished": "2017-08-09T21:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:16.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3188 (GCVE-0-2015-3188)
Vulnerability from cvelistv5 – Published: 2017-01-13 15:00 – Updated: 2024-08-06 05:39
VLAI
Summary
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1032695 | vdb-entryx_refsource_SECTRACK |
| http://www.securityfocus.com/archive/1/535804/100… | mailing-listx_refsource_BUGTRAQ |
| http://packetstormsecurity.com/files/132417/Apach… | x_refsource_MISC |
Date Public
2015-06-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1032695",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1032695",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-3188",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1032695",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032695"
},
{
"name": "20150620 [CVE-2015-3188] Apache Storm remote code execution vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535804/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3188",
"datePublished": "2017-01-13T15:00:00.000Z",
"dateReserved": "2015-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T05:39:31.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}