Remote Code Execution Vulnerability in Apache Storm Products
CVE-2018-1331

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Storm
Vendor
CVE Published:
10 July 2018

Summary

In certain versions of Apache Storm, an attacker who gains access to a secure cluster could exploit a vulnerability allowing them to execute arbitrary code as a different user. This poses significant security risks as it could lead to unauthorized actions within the cluster environment. Organizations using the affected versions should take immediate steps to mitigate this vulnerability.

Affected Version(s)

Apache Storm 0.10.0 through 0.10.2

Apache Storm 1.0.0 through 1.0.6

Apache Storm 1.1.0 through 1.1.2

References

http://storm.apache.org/2018/06/04/storm122-released.html
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2018/07/10/4
mailing-listx_refsource_MLIST
http://storm.apache.org/2018/06/04/storm113-released.html
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.