A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
Fixes

Solution

No solution given by the vendor.


Workaround

Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T01:37:16.384Z

Reserved: 2021-08-09T00:00:00

Link: CVE-2021-38294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-10-25T13:15:07.957

Modified: 2024-11-21T06:16:44.133

Link: CVE-2021-38294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.