Description
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3E
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100235
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039116
Scores
CVSS v3
8.8
EPSS
0.0089
EPSS Percentile
75.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
Status
published
Products (8)
apache/storm
1.0
apache/storm
1.0.1
apache/storm
1.0.2
apache/storm
1.0.3
apache/storm
1.1
Apache Software Foundation/Apache Storm
1.0.0 through 1.0.3
Apache Software Foundation/Apache Storm
1.1.0
org.apache.storm/storm-core
1.1.0 - 1.1.1Maven
Published
Aug 09, 2017
Tracked Since
Feb 18, 2026