CVE-2021-38294

CRITICAL

Apache Storm <2.2.1, <1.2.4 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-38294. PoCs published by Alvaro Muñoz, Spencer McIntyre, including Metasploit module exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in Apache Storm's Nimbus service via the getTopologyHistory RPC method. It allows remote code execution as the user running Apache Storm by injecting commands into a bash string.

Description

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Alvaro Muñoz, Spencer McIntyre · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in Apache Storm's Nimbus service via the getTopologyHistory RPC method. It allows remote code execution as the user running Apache Storm by injecting commands into a bash string.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Storm versions 2.1.1, 2.2.1, and 1.2.4

No auth needed

Prerequisites: At least one topology must have been submitted to the server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E

Mailing List, Third Party Advisory x_refsource_misc

https://seclists.org/oss-sec/2021/q4/44

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html

Scores

CVSS v3 9.8

EPSS 0.8206

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78 CWE-74

Status published

Products (2)

apache/storm 1.0.0 - 1.2.4

org.apache.storm/storm 2.2.0 - 2.2.1Maven

Published Oct 25, 2021

Tracked Since Feb 18, 2026