Advisories for Maven/Org.apache.storm/Storm-Server package

2021

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm and Apache Storm. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Deserialization of Untrusted Data

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE).