151 matches found
Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
com.digitalpebble.stormcrawler:storm-crawler-aws (>=2.0 <=2.11), com.digitalpebble.stormcrawler:storm-crawler-core (>=2.0 <=2.11) +77 more potentially affected by CVE-2026-41081 via org.apache.storm:storm-client (>=2.0.0 <=2.8.6)
org.apache.storm:storm-client MAVEN version =2.0.0, =2.0, =2.0, =2.0, =2.0, =2.0, =2.7, =2.0, =2.0, =2.0, =2.1, =2.6.3.1, =2.4.0, =2.4.0, =2.4.0, =2.0.0, =2.8.6 and more Source cves: CVE-2026-41081 Source advisory: OSV:GHSA-J2Q8-XX3Q-8FQH...
GHSA-J2Q8-XX3Q-8FQH Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
GHSA-82FM-WPC2-5PMP Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
com.digitalpebble.stormcrawler:storm-crawler-aws (>=2.0 <=2.11), com.digitalpebble.stormcrawler:storm-crawler-core (>=2.0 <=2.11) +77 more potentially affected by CVE-2026-41081 via org.apache.storm:storm-client (>=2.0.0 <=2.8.6)
org.apache.storm:storm-client MAVEN version =2.0.0, =2.0, =2.0, =2.0, =2.0, =2.0, =2.7, =2.0, =2.0, =2.0, =2.1, =2.6.3.1, =2.4.0, =2.4.0, =2.4.0, =2.0.0, =2.8.6 and more Source cves: CVE-2026-41081 Source advisory: SNYK:JAVA-ORGAPACHESTORM-16322970...
CVE-2026-41081
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
EUVD-2026-25846
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
CVE-2026-40557
Summary: CVE-2026-40557 affects Apache Storm Prometheus Reporter (versions 2.6.3–2.8.6). The issue stems from PrometheusPreparableReporter implementing an INSECURE_TRUST_MANAGER and, when storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is enabled, triggering SSLContext.setDefa...
CVE-2026-41081 Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
Apache Storm Prometheus Reporter 信任管理问题漏洞
Apache Storm Prometheus Reporter is a monitoring component developed by the Apache Foundation that converts metrics from distributed stream processing systems into Prometheus format. Versions 2.6.3 to 2.8.6 of Apache Storm Prometheus Reporter contain vulnerabilities related to trust management...
EUVD-2026-21902
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
Apache Storm: Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
GHSA-JF89-3Q6Q-VCGR Apache Storm: Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
com.digitalpebble.stormcrawler:storm-crawler-aws (>=2.0 <=2.11), com.digitalpebble.stormcrawler:storm-crawler-core (>=2.0 <=2.11) +77 more potentially affected by CVE-2026-35337 via org.apache.storm:storm-client (>=2.0.0 <=2.8.5)
org.apache.storm:storm-client MAVEN version =2.0.0, =2.0, =2.0, =2.0, =2.0, =2.0, =2.7, =2.0, =2.0, =2.0, =2.1, =2.6.3.1, =2.4.0, =2.4.0, =2.4.0, =2.0.0, =2.8.5 and more Source cves: CVE-2026-35337 Source advisory: OSV:GHSA-JF89-3Q6Q-VCGR...
CVE-2026-35337
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
CVE-2026-35337
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
CVE-2026-35337 Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
CVE-2026-35337
CVE-2026-35337 — Apache Storm Deserialization of Untrusted Data via Kerberos TGT Credential Handling. Affected: Storm before 2.8.6. Summary: processing topology credentials submitted to Nimbus Thrift API deserializes base64-encoded TGT blobs with ObjectInputStream.readObject() without class filte...
CVE-2026-35337 Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
CVE-2026-35565
The CVE affects Apache Storm UI before 2.8.6. The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization, enabling stored XSS when an authenticated user wit...