Description
In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
http://storm.apache.org/2018/06/04/storm122-released.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2018/07/10/4
Vendor Advisory x_refsource_confirm
http://storm.apache.org/2018/06/04/storm113-released.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104732
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041273
Scores
CVSS v3
8.8
EPSS
0.0511
EPSS Percentile
89.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
apache/storm
0.10.0 - 0.10.2
org.apache.storm/storm-core
1.2.0 - 1.2.2Maven
Published
Jul 10, 2018
Tracked Since
Feb 18, 2026