CVE-2021-38294
published 2021-10-25CVE-2021-38294: A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | storm | >= 1.0.0 < 1.2.4 | 1.2.4 |
| apache | storm | >= 2.1.0 < 2.1.1 | 2.1.1 |
| apache | storm | >= 2.2.0 < 2.2.1 | 2.2.1 |
| apache_software_foundation | apache_storm | >= Apache Storm < v1.2.4 | v1.2.4 |
| apache_software_foundation | apache_storm | >= v1.0.0 < Apache Storm* | Apache Storm* |