SUSE CVE-2018-11779

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class...

OESA-2021-1415 storm security update

Apache Storm realtime computation system Security Fixes: An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution RCE. Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x...

org.apache.storm:flux-core (>=1.2.0 <=1.2.1), org.apache.storm:storm-elasticsearch-examples (>=1.2.0 <=1.2.1) +14 more potentially affected by CVE-2018-1331 via org.apache.storm:storm-core (>=1.2.0 <=1.2.1)

org.apache.storm:storm-core MAVEN version =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.1 and more Source cves: CVE-2018-1331 Source advisory: OSV:GHSA-P8JX-X2VW-WM33...

GHSA-X825-RJWW-2245 Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user

It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure...