Lucene search
Veracode Vulnerability DatabaseVERACODE:4898HistoryAug 10, 2017 - 5:18 a.m.
Arbitrary Code Execution As A Different User
2017-08-1005:18:12
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
5
0.004 Low
EPSS
Percentile
73.3%
storm-core is vulnerable to arbitrary code execution as a different user. The vulnerability is possible due to a flaw which allows a topology owner to mislead the supervisor to run a worker as a different user (i.e., non-root). In the worst case, this exposes all the credentials of the user.
| CPE | Name | Operator | Version |
|---|---|---|---|
| storm core | eq | 1.0.3 | |
| storm core | eq | 1.1.0 | |
| storm core | le | 1.0.2 | |
| storm core | le | 0.10.2 |
References
seclists.org/oss-sec/2017/q3/272
www.securityfocus.com/bid/100235
www.securitytracker.com/id/1039116
github.com/apache/storm/blob/v1.1.1/CHANGELOG.md#111
github.com/apache/storm/commit/44b80fbfcf8a52b6e7cb3840a52ff07f8a2364e4
lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E
Related
osv
osv
Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user
2018-10-17 18:30:01
CVE-2017-9799
2017-08-09 21:29:01
suse
suse
Security update for storm, storm-kit (important)
2017-11-13 15:07:14
github
github
nvd
nvd
CVE-2017-9799
2017-08-09 21:29:01
cve
cve
CVE-2017-9799
2017-08-09 21:29:01
prion
prion
Code injection
2017-08-09 21:29:00
cvelist
cvelist
CVE-2017-9799
2017-08-09 00:00:00