CVE-2021-40865

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
46.2%
top 2.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache StormApache Storm
Timeline
PublishedOct 25
Latest updateOct 27

Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/storm1.0.01.2.4+2
Mavenorg.apache.storm:storm2.2.02.2.1+2
CVEListV5apache_software_foundation/apache_stormv1.0.0Apache Storm *+1

🔴Vulnerability Details

3
GHSA
Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm2021-10-27
OSV
Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm2021-10-27
CVEList
Unsafe Pre-Authentication Deserialization In Workers2021-10-25
CVE-2021-40865 (CRITICAL CVSS 9.8) | An Unsafe Deserialization vulnerabi | cvebase.io