Shell Command Injection Vulnerability in Nimbus Thrift Server
Description
Command injection in Apache Storm's getTopologyHistory service allows unauthenticated RCE via crafted thrift request to Nimbus server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Apache Storm's getTopologyHistory service allows unauthenticated RCE via crafted thrift request to Nimbus server.
Vulnerability
The getTopologyHistory service in Apache Storm versions 2.x prior to 2.2.1 and 1.x prior to 1.2.4 is vulnerable to command injection. A specially crafted thrift request to the Nimbus server can trigger remote code execution. This vulnerability exists before authentication, meaning no prior access is required. [1]
Exploitation
An attacker can send a malicious thrift request to the Nimbus server. The request embeds commands that are executed due to improper input validation. No authentication is needed. The attacker only needs network access to the Nimbus endpoint. [1]
Impact
Successful exploitation allows remote code execution on the Nimbus server, potentially leading to full compromise of the Storm cluster. The attacker can execute arbitrary commands with the privileges of the Storm process.
Mitigation
Apache Storm 2.2.1 and 1.2.4 contain fixes for this vulnerability. Users should upgrade to these versions immediately. No workarounds are mentioned in the available references. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.storm:stormMaven | >= 2.2.0, < 2.2.1 | 2.2.1 |
org.apache.storm:stormMaven | >= 2.0.0, < 2.1.1 | 2.1.1 |
org.apache.storm:stormMaven | >= 1.0.0, < 1.2.4 | 1.2.4 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6768-mcjc-8223ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38294ghsaADVISORY
- packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.htmlghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3Eghsax_refsource_MISCWEB
- seclists.org/oss-sec/2021/q4/44ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.