Shell Command Injection Vulnerability in Nimbus Thrift Server
CVE-2021-38294

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Storm
Vendor: CVE Published:; 25 October 2021

Summary

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Affected Version(s)

Apache Storm Apache Storm

Apache Storm Non-Windows v1.0.0

References

https://lists.apache.org/thread.html/r5fe881f6ca883908b7a...

x_refsource_MISC

https://seclists.org/oss-sec/2021/q4/44

x_refsource_MISC

http://packetstormsecurity.com/files/165019/Apache-Storm-...

x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2021
Vulnerability Reserved
Aug 9, 2021

Credit

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.

.