Overview
- Description
- An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
- Source
- security@apache.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BE613C03-8B01-4BDF-8386-81D463DB24BD",
"versionEndExcluding": "1.2.4",
"versionStartIncluding": "1.0.0"
},
{
"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "19A86308-A958-4EC5-BFFF-87DDE964A6DA",
"versionEndExcluding": "2.1.1",
"versionStartIncluding": "2.1.0"
},
{
"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FBDC8657-39A9-4392-93D6-440F5EDAA4F0",
"versionEndExcluding": "2.2.1",
"versionStartIncluding": "2.2.0"
}
],
"operator": "OR"
}
]
}
]