CVE-2021-38294 — Injection in Software Foundation Apache Storm

CWE-74 — Injection CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

84.6%

top 0.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Storm Apache Storm

Timeline

PublishedOct 25

Latest updateOct 27

Description

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/storm1.0.0 — 1.2.4+2

▶CVEListV5apache_software_foundation/apache_stormv1.0.0 — Apache Storm*+1

🔴Vulnerability Details

OSV

Command injection leading to Remote Code Execution in Apache Storm↗2021-10-27

▶

GHSA

Command injection leading to Remote Code Execution in Apache Storm↗2021-10-27

▶

CVEList

Shell Command Injection Vulnerability in Nimbus Thrift Server↗2021-10-25

▶