CVE-2017-9799

4 documents4 sources
Severity
8.8HIGH
EPSS
0.9%
top 24.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache StormApache Storm
Timeline
PublishedAug 9
Latest updateOct 17

Description

It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_storm1.0.0 through 1.0.3, 1.1.0+1
Mavenorg.apache.storm:storm-core1.1.01.1.1+1
NVDapache/storm5 versions+4

🔴Vulnerability Details

3
OSV
Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user2018-10-17
GHSA
Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user2018-10-17
CVEList
CVE-2017-9799: It was found that under some situations and configurations of Apache Storm 12017-08-09
CVE-2017-9799 (HIGH CVSS 8.8) | It was found that under some situat | cvebase.io