CVE-2021-40865 – org.apache.storm:storm

Package

Manager: maven
Name: org.apache.storm:storm
Vulnerable Version: >=2.2.0 <2.2.1 || >=1.0.0 <1.2.4 || >=2.1.0 <2.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.49399 pctl0.97722

Details

Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Metadata

Created: 2021-10-27T18:52:06Z
Modified: 2021-10-29T13:51:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-w729-7633-2fw5/GHSA-w729-7633-2fw5.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-w729-7633-2fw5
Finding: F096
Auto approve: 1