Maven package
org.apache.storm/storm-core
pkg:maven/org.apache.storm/storm-core
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-43123 | — | >= 2.0.0, < 2.6.0 | 2.6.0 | Nov 23, 2023 | On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The | ||
| CVE-2019-0202 | — | >= 0.9.1-incubating, < 1.2.3 | 1.2.3 | Jul 25, 2019 | The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo | ||
| CVE-2018-1331 | Hig | 8.8 | >= 1.2.0, < 1.2.2 | 1.2.2 | Jul 10, 2018 | In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user. | |
| CVE-2018-8008 | Med | 5.5 | >= 1.1.0, < 1.1.3 | 1.1.3 | Jun 5, 2018 | Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path trave | |
| CVE-2018-1332 | Med | 6.5 | < 1.1.3 | 1.1.3 | Jun 5, 2018 | Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons. | |
| CVE-2017-9799 | Hig | 8.8 | >= 1.1.0, < 1.1.1 | 1.1.1 | Aug 9, 2017 | It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lea |
- CVE-2023-43123Nov 23, 2023affected >= 2.0.0, < 2.6.0fixed 2.6.0
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The
- CVE-2019-0202Jul 25, 2019affected >= 0.9.1-incubating, < 1.2.3fixed 1.2.3
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo
- affected >= 1.2.0, < 1.2.2fixed 1.2.2
In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
- affected >= 1.1.0, < 1.1.3fixed 1.1.3
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path trave
- affected < 1.1.3fixed 1.1.3
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
- affected >= 1.1.0, < 1.1.1fixed 1.1.1
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lea