Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jZzVoLXE5ODMtNHJ3d84AAWCX
Apache Storm remote code execution vulnerability
The UI daemon in Apache Storm 0.10.0-beta allows remote users to run arbitrary code as the user running the web server. With kerberos authentication this could allow impersonation of arbitrary users on other systems, including HDFS and HBase.
Permalink: https://github.com/advisories/GHSA-cg5h-q983-4rwwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZzVoLXE5ODMtNHJ3d84AAWCX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-cg5h-q983-4rww, CVE-2015-3188
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-3188
- http://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html
- https://github.com/apache/storm/blob/v0.10.0-beta1/SECURITY.md
- https://github.com/apache/storm/blob/v0.10.0-beta1/STORM-UI-REST-API.md
- https://web.archive.org/web/20151014213052/http://www.securitytracker.com/id/1032695
- https://web.archive.org/web/20171202122914/http://www.securityfocus.com/archive/1/535804/100/0/threaded
- https://github.com/advisories/GHSA-cg5h-q983-4rww
Blast Radius: 12.1
Affected Packages
maven:org.apache.storm:storm
Dependent packages: 0Dependent repositories: 17
Downloads:
Affected Version Ranges: = 0.10.0-beta
Fixed in: 0.10.0-beta1
All affected versions: 0.10.0-beta
All unaffected versions: 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.10.0, 0.10.1, 0.10.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2