storm-core is vulnerable to arbitrary code execution as a different user. The vulnerability is possible due to a flaw which allows a topology owner to mislead the supervisor to run a worker as a different user (i.e., non-root). In the worst case, this exposes all the credentials of the user.
CPE | Name | Operator | Version |
---|---|---|---|
storm core | eq | 1.0.3 | |
storm core | eq | 1.1.0 | |
storm core | le | 1.0.2 | |
storm core | le | 0.10.2 |
seclists.org/oss-sec/2017/q3/272
www.securityfocus.com/bid/100235
www.securitytracker.com/id/1039116
github.com/apache/storm/blob/v1.1.1/CHANGELOG.md#111
github.com/apache/storm/commit/44b80fbfcf8a52b6e7cb3840a52ff07f8a2364e4
lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E