CVE-2017-9799: Moderate severity vulnerability that affects org.apache.storm:storm-core

October 17, 2018 (updated September 21, 2021)

It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.

References

www.securityfocus.com/bid/100235
www.securitytracker.com/id/1039116
github.com/advisories/GHSA-x825-rjww-2245
lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2017-9799

Detect and mitigate CVE-2017-9799 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →