CVE-2021-38294

Summary

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Stormv1.0.0 < Apache Storm*affected
Apache Software FoundationApache StormApache Storm < v1.2.4affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Workarounds

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4

ADP Enrichment

CVE Program Container

Additional References

References