High severity8.8NVD Advisory· Published Aug 9, 2017· Updated May 13, 2026

CVE-2017-9799

Description

It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.storm:storm-coreMaven	>= 1.1.0, < 1.1.1	1.1.1
org.apache.storm:storm-coreMaven	>= 1.0.0, < 1.0.4	1.0.4

Affected products

Apache/Storm5 versions
cpe:2.3:a:apache:storm:1.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:storm:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:storm:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:storm:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:storm:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:storm:1.1:*:*:*:*:*:*:*
Apache Software Foundation/Apache Stormv5
Range: 1.0.0 through 1.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/100235nvdThird Party AdvisoryVDB EntryWEB
www.securitytracker.com/id/1039116nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-x825-rjww-2245ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-9799ghsaADVISORY
lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3EghsaWEB
lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127%40%3Cdev.storm.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000