CVE-2018-1332 - Vulnerability Details - OpenCVE

Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0043.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Storm

Configuration 1 [-]

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-0656	Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
Github GHSA	GHSA-q35p-chc6-7x57	Moderate severity vulnerability that affects org.apache.storm:storm-core

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/104399
https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2018-06-05T19:00:00Z

Updated: 2024-09-16T16:23:01.430Z

Reserved: 2017-12-07T00:00:00

Link: CVE-2018-1332

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-05T19:29:00.217

Modified: 2024-11-21T03:59:38.493

Link: CVE-2018-1332

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Storm", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"}]}], "datePublic": "2018-06-05T00:00:00", "descriptions": [{"lang": "en", "value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."}], "problemTypes": [{"descriptions": [{"description": "User Impersonation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"}, {"name": "104399", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104399"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-06-05T00:00:00", "ID": "CVE-2018-1332", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Storm", "version": {"version_data": [{"version_value": "Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "User Impersonation"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E", "refsource": "CONFIRM", "url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4@%3Cdev.storm.apache.org%3E"}, {"name": "104399", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104399"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:59:38.537Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"}, {"name": "104399", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104399"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1332", "datePublished": "2018-06-05T19:00:00Z", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-09-16T16:23:01.430Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "matchCriteriaId": "265E8751-BB87-4F1F-8271-D35DB199C986", "versionEndIncluding": "1.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "matchCriteriaId": "540EA459-08DF-43BF-B9BD-866B00B977FA", "versionEndIncluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF46C169-8C83-4DA2-AFDC-B41D5B5F5139", "versionEndIncluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons."}, {"lang": "es", "value": "Apache Storm en versiones 1.0.6 y anteriores, 1.2.1 y anteriores y versiones 1.1.2 y anteriores expone una vulnerabilidad que podr\u00eda permitir que un usuario suplante a otro al comunicarse con algunos demonios Storm."}], "id": "CVE-2018-1332", "lastModified": "2024-11-21T03:59:38.493", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-05T19:29:00.217", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104399"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/50f1d6a7af27f49d2e498a9ab2975685302cd8ca47000b7c38f339a4%40%3Cdev.storm.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}