14 matches found
CVE-2018-11779
Technical details about CVE-2018-11779 are not provided in the supplied documents. Monitor for updates from official advisories.
CVE-2019-0202
CVE-2019-0202 affects Apache Storm Logviewer: versions 0.9.1-incubating through 1.2.2 expose HTTP endpoints that allow reading arbitrary host files via the logviewer. The root cause is an information disclosure vulnerability in the log viewer endpoints, enabling reading files not intended for acc...
CVE-2021-38294
CVE-2021-38294 affects Apache Storm 2.x (<2.2.1) and 1.x (
CVE-2021-40865
CVE-2021-40865 affects Apache Storm: Unsafe Deserialization in the worker services of the Storm supervisor server enables pre-auth remote code execution. Vulnerable lines include Storm 2.2.x (upgrade to 2.2.1 or 2.3.0), 2.1.x (upgrade to 2.1.1), and 1.x (upgrade to 1.2.4). Other connected advisor...
CVE-2018-1332
Summary: CVE-2018-1332 affects Apache Storm up to v1.0.6, v1.2.1, and v1.1.2 (and earlier), enabling user impersonation when communicating with certain Storm Daemons. The connected sources reiterate that the vulnerability allows impersonation but do not provide a concrete fix, patch version, or m...
CVE-2017-9799
CVE-2017-9799 affects Apache Storm 1.x prior to 1.0.4 and 1.1.x prior to 1.1.1. The issue allows a topology owner to trick the supervisor into launching a worker as a different, non-root user, enabling exposure of that user’s credentials. Impact is described as potential credential compromise and...
CVE-2018-8008
CVE-2018-8008 affects Apache Storm up to 1.0.6, 1.2.1, and 1.1.2, enabling arbitrary file write via specially crafted archives with path traversal filenames that extract outside the target directory. Connected advisories corroborate a ZipSlip-style flaw across multiple Storm releases. Remediation...
CVE-2023-43123
CVE-2023-43123 affects Apache Storm (Storm-core) on Unix-like systems where a shared temporary directory can allow other local users to read sensitive data written by temp files created via File.createTempFile (permissions -rw-r--r-- by default). The issue is triggered when the system property 'j...
CVE-2018-1331
The provided connected documents confirm CVE-2018-1331 affects Apache Storm versions: 0.10.0–0.10.2, 1.0.0–1.0.6, 1.1.0–1.1.2, and 1.2.0–1.2.1. The vulnerability allows an attacker with access to a secure Storm cluster to execute arbitrary code as a different user. The available sources describe ...
CVE-2015-3188
The CVE-2015-3188 issue affects Apache Storm UI daemon: Storm 0.10.0-beta (before 0.10.0-beta1) allows remote attackers to execute arbitrary code via unspecified vectors. The root cause is the UI daemon handling requests in a way that permits code execution when exposed to unauthenticated/remote ...
CVE-2014-0115
The CVE-2014-0115 entry describes a directory traversal vulnerability in the log viewer of Apache Storm 0.9.0.1. An attacker can use a .. sequence in the log file parameter to read arbitrary files, potentially exposing sensitive data. The connected sources reiterate this flaw (path traversal in A...
CVE-2026-41081
CVE-2026-41081 : In Apache Storm, TLS transport with default config (client certs not required) can assign a fallback principal CN=ANONYMOUS when a client certificate is missing or verification fails, because SSLPeerUnverifiedException is caught and connection is not rejected. This “fail-open” ca...
CVE-2026-35337
CVE-2026-35337 — Apache Storm Deserialization of Untrusted Data via Kerberos TGT Credential Handling. Affected: Storm before 2.8.6. Summary: processing topology credentials submitted to Nimbus Thrift API deserializes base64-encoded TGT blobs with ObjectInputStream.readObject() without class filte...
CVE-2026-35565
The CVE affects Apache Storm UI before 2.8.6. The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization, enabling stored XSS when an authenticated user wit...