CVE-2018-1331

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Storm
Vendor: CVE Published:; 10 July 2018

Summary

In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Affected Version(s)

Apache Storm 0.10.0 through 0.10.2

Apache Storm 1.0.0 through 1.0.6

Apache Storm 1.1.0 through 1.1.2

References

http://storm.apache.org/2018/06/04/storm122-released.html

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2018/07/10/4

mailing-listx_refsource_MLIST

http://storm.apache.org/2018/06/04/storm113-released.html

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 10, 2018
Vulnerability Reserved
Dec 7, 2017