Lucene search
K
ApacheStorm

14 matches found

CVE
CVE
added 2019/07/25 11:23 p.m.217 views

CVE-2018-11779

Technical details about CVE-2018-11779 are not provided in the supplied documents. Monitor for updates from official advisories.

9.8CVSS9.3AI score0.03477EPSS
CVE
CVE
added 2019/07/25 11:17 p.m.203 views

CVE-2019-0202

CVE-2019-0202 affects Apache Storm Logviewer: versions 0.9.1-incubating through 1.2.2 expose HTTP endpoints that allow reading arbitrary host files via the logviewer. The root cause is an information disclosure vulnerability in the log viewer endpoints, enabling reading files not intended for acc...

7.5CVSS7.4AI score0.02043EPSS
CVE
CVE
added 2021/10/25 12:22 p.m.128 views

CVE-2021-38294

CVE-2021-38294 affects Apache Storm 2.x (<2.2.1) and 1.x (

9.8CVSS9.8AI score0.84489EPSS
CVE
CVE
added 2021/10/25 12:22 p.m.105 views

CVE-2021-40865

CVE-2021-40865 affects Apache Storm: Unsafe Deserialization in the worker services of the Storm supervisor server enables pre-auth remote code execution. Vulnerable lines include Storm 2.2.x (upgrade to 2.2.1 or 2.3.0), 2.1.x (upgrade to 2.1.1), and 1.x (upgrade to 1.2.4). Other connected advisor...

9.8CVSS9.6AI score0.65587EPSS
CVE
CVE
added 2018/06/05 7:0 p.m.87 views

CVE-2018-1332

Summary: CVE-2018-1332 affects Apache Storm up to v1.0.6, v1.2.1, and v1.1.2 (and earlier), enabling user impersonation when communicating with certain Storm Daemons. The connected sources reiterate that the vulnerability allows impersonation but do not provide a concrete fix, patch version, or m...

6.5CVSS6.2AI score0.01484EPSS
CVE
CVE
added 2017/08/09 9:0 p.m.85 views

CVE-2017-9799

CVE-2017-9799 affects Apache Storm 1.x prior to 1.0.4 and 1.1.x prior to 1.1.1. The issue allows a topology owner to trick the supervisor into launching a worker as a different, non-root user, enabling exposure of that user’s credentials. Impact is described as potential credential compromise and...

8.8CVSS8.5AI score0.04872EPSS
CVE
CVE
added 2018/06/05 7:0 p.m.82 views

CVE-2018-8008

CVE-2018-8008 affects Apache Storm up to 1.0.6, 1.2.1, and 1.1.2, enabling arbitrary file write via specially crafted archives with path traversal filenames that extract outside the target directory. Connected advisories corroborate a ZipSlip-style flaw across multiple Storm releases. Remediation...

5.8CVSS5.8AI score0.02361EPSS
CVE
CVE
added 2023/11/23 9:16 a.m.80 views

CVE-2023-43123

CVE-2023-43123 affects Apache Storm (Storm-core) on Unix-like systems where a shared temporary directory can allow other local users to read sensitive data written by temp files created via File.createTempFile (permissions -rw-r--r-- by default). The issue is triggered when the system property 'j...

5.5CVSS5AI score0.00346EPSS
CVE
CVE
added 2018/07/10 5:0 p.m.69 views

CVE-2018-1331

The provided connected documents confirm CVE-2018-1331 affects Apache Storm versions: 0.10.0–0.10.2, 1.0.0–1.0.6, 1.1.0–1.1.2, and 1.2.0–1.2.1. The vulnerability allows an attacker with access to a secure Storm cluster to execute arbitrary code as a different user. The available sources describe ...

8.8CVSS8.8AI score0.04481EPSS
CVE
CVE
added 2017/01/13 3:0 p.m.61 views

CVE-2015-3188

The CVE-2015-3188 issue affects Apache Storm UI daemon: Storm 0.10.0-beta (before 0.10.0-beta1) allows remote attackers to execute arbitrary code via unspecified vectors. The root cause is the UI daemon handling requests in a way that permits code execution when exposed to unauthenticated/remote ...

10CVSS9.7AI score0.14399EPSS
CVE
CVE
added 2017/10/30 4:0 p.m.45 views

CVE-2014-0115

The CVE-2014-0115 entry describes a directory traversal vulnerability in the log viewer of Apache Storm 0.9.0.1. An attacker can use a .. sequence in the log file parameter to read arbitrary files, potentially exposing sensitive data. The connected sources reiterate this flaw (path traversal in A...

7.8CVSS7.4AI score0.0525EPSS
CVE
CVE
added 2026/04/27 1:10 p.m.34 views

CVE-2026-41081

CVE-2026-41081 : In Apache Storm, TLS transport with default config (client certs not required) can assign a fallback principal CN=ANONYMOUS when a client certificate is missing or verification fails, because SSLPeerUnverifiedException is caught and connection is not rejected. This “fail-open” ca...

6.5CVSS5.1AI score0.00286EPSS
CVE
CVE
added 2026/04/13 9:11 a.m.22 views

CVE-2026-35337

CVE-2026-35337 — Apache Storm Deserialization of Untrusted Data via Kerberos TGT Credential Handling. Affected: Storm before 2.8.6. Summary: processing topology credentials submitted to Nimbus Thrift API deserializes base64-encoded TGT blobs with ObjectInputStream.readObject() without class filte...

8.8CVSS6.4AI score0.01011EPSS
CVE
CVE
added 2026/04/13 9:10 a.m.14 views

CVE-2026-35565

The CVE affects Apache Storm UI before 2.8.6. The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization, enabling stored XSS when an authenticated user wit...

5.4CVSS5.9AI score0.00466EPSS