Critical severityNVD Advisory· Published Jul 25, 2019· Updated Aug 5, 2024

CVE-2018-11779

Description

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.storm:storm-kafkaMaven	>= 1.1.0, < 1.2.3	1.2.3
org.apache.storm:storm-kafka-clientMaven	>= 1.1.0, < 1.2.3	1.2.3

Affected products

Apache/Stormv5
Range: 1.1.0 to 1.2.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-25pc-85qf-6j69ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-11779ghsaADVISORY
lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98%40%3Cuser.storm.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/3e4f704c4bd9296405a07a0290b8cbb6cbf5046e277efe6d93280a98@%3Cuser.storm.apache.org%3EghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000