User Impersonation Vulnerability in Apache Storm by The Apache Software Foundation
CVE-2017-9799

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Storm
Vendor
CVE Published:
9 August 2017

Summary

A potential user impersonation vulnerability exists in Apache Storm due to improper handling of configurations. Under specific conditions, an owner of a topology could manipulate the system to execute a worker process under the context of another non-root user. This situation heightens the risk of exposing sensitive credentials belonging to that user, leading to possible unauthorized access or escalation of privileges.

Affected Version(s)

Apache Storm 1.0.0 through 1.0.3

Apache Storm 1.1.0

References

https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e8...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/100235
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1039116
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.