Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-38294: Shell Command Injection Vulnerability in Nimbus Thrift Server

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

CVE
#vulnerability#apache#git#rce#auth

oss-sec mailing list archives****CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server

From: Derek Dagit <dagit () apache org>
Date: Thu, 21 Oct 2021 03:02:08 +0000

Severity: high

Description:

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Mitigation:

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4

Credit:

Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.

Current thread:

  • CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server Derek Dagit (Oct 21)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907