Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache storm vulnerabilities and exploits
(subscribe to this query)
10
CVSSv2
CVE-2015-3188
The UI daemon in Apache Storm 0.10.0 prior to 0.10.0-beta1 allows remote malicious users to execute arbitrary code via unspecified vectors.
Apache Storm 0.10.0
7.8
CVSSv2
CVE-2014-0115
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote malicious users to read arbitrary files via a .. (dot dot) in the file parameter to log.
Apache Storm 0.9.0.1
7.5
CVSSv2
CVE-2021-40865
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. ...
Apache Storm
1 Github repository
7.5
CVSSv2
CVE-2021-38294
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x before 2.2.1 and Apache Storm 1.x before 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Apache Storm
7.5
CVSSv2
CVE-2018-11779
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
Apache Storm
6.5
CVSSv2
CVE-2018-1331
In Apache Storm 0.10.0 up to and including 0.10.2, 1.0.0 up to and including 1.0.6, 1.1.0 up to and including 1.1.2, and 1.2.0 up to and including 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Apache Storm
5.8
CVSSv2
CVE-2018-8008
Apache Storm version 1.0.6 and previous versions, 1.2.1 and previous versions, and version 1.1.2 and previous versions expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cp...
Apache Storm
5
CVSSv2
CVE-2019-0202
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these ...
Apache Storm 0.9.1
Apache Storm 0.9.2
Apache Storm
5
CVSSv2
CVE-2018-1320
Apache Thrift Java client library versions 0.5.0 up to and including 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in...
Apache Thrift
Debian Debian Linux 8.0
F5 Traffix Signaling Delivery Controller
Oracle Global Lifecycle Management Opatch
Oracle Nosql Database
4.3
CVSSv2
CVE-2017-9799
It was found that under some situations and configurations of Apache Storm 1.x prior to 1.0.4 and 1.1.x prior to 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could...
Apache Storm 1.0.2
Apache Storm 1.1
Apache Storm 1.0.1
Apache Storm 1.0.3
Apache Storm 1.0
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5248
CVE-2024-3110
CVE-2024-5552
CVE-2024-29415
HTML injection
CVE-2024-3095
TCP
type confusion
CVE-2024-1800
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »