Maven package
org.apache.storm/storm
pkg:maven/org.apache.storm/storm
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-40865 | — | >= 2.2.0, < 2.2.1 | 2.2.1 | Oct 25, 2021 | An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. | ||
| CVE-2021-38294 | — | >= 2.2.0, < 2.2.1 | 2.2.1 | Oct 25, 2021 | A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. | ||
| CVE-2014-0115 | Hig | 7.5 | <= 0.9.0.1 | — | Oct 30, 2017 | Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log. | |
| CVE-2015-3188 | Cri | 9.8 | >= 0.10.0-beta, < 0.10.0-beta1 | 0.10.0-beta1 | Jan 13, 2017 | The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. |
- CVE-2021-40865Oct 25, 2021affected >= 2.2.0, < 2.2.1fixed 2.2.1
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1.
- CVE-2021-38294Oct 25, 2021affected >= 2.2.0, < 2.2.1fixed 2.2.1
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
- affected <= 0.9.0.1
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
- affected >= 0.10.0-beta, < 0.10.0-beta1fixed 0.10.0-beta1
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.