159 matches found
CVE-2026-35337 Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
CVE-2026-35565 Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...
CVE-2026-35565 Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...
CVE-2026-35565
The CVE affects Apache Storm UI before 2.8.6. The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization, enabling stored XSS when an authenticated user wit...
PT-2026-32328
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...
Apache Storm 安全漏洞
Apache Storm is an open-source distributed real-time computing system developed by the Apache Foundation in the United States. It uses the Clojure programming language for concurrent processing. Prior to Apache Storm 2.8.6, there was a security vulnerability that occurred due to the deserializati...
TencentOS Server 4: storm (TSSA-2024:1013)
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:1013 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...
EUVD-2018-0648
Malware in sbrugna...
EUVD-2019-0613
Malware in sbrugna...
EUVD-2018-0712
Malware in sbrugna...
EUVD-2018-0656
Malware in sbrugna...
EUVD-2022-3604
Malicious code in bioql PyPI...
EUVD-2023-2917
Malicious code in bioql PyPI...
EUVD-2022-5140
Malicious code in bioql PyPI...
CVE-2021-38294
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution RCE prior to authentication...
CVE-2018-11779
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class...
CVE-2019-0202
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints...
CVE-2023-43123
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method...
The vulnerability of the Apache Storm distributed stream processing software’s software platform in UNIX-like operating systems, related to access control deficiencies, allows attackers to disclose sensitive information.
The vulnerability of the Apache Storm distributed stream processing software’s software platform in UNIX-like operating systems is related to lack of access control mechanisms. Exploiting this vulnerability can allow attackers to disclose sensitive information that is protected by the system’s...
Apache Storm Information Disclosure Vulnerability (CNVD-2023-9666324)
Apache Storm is the United States Apache Apache Foundation of a set of open source distributed real-time computing system developed using Clojure concurrent programming language. Apache Storm suffers from an information disclosure vulnerability that stems from a temporary directory shared among a...