A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4
References
History
No history.

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T01:37:16.384Z
Reserved: 2021-08-09T00:00:00
Link: CVE-2021-38294

No data.

Status : Modified
Published: 2021-10-25T13:15:07.957
Modified: 2024-11-21T06:16:44.133
Link: CVE-2021-38294

No data.

No data.