CVE-2015-3188
CRITICAL9.8EPSS 12.4%Apache Storm remote code execution vulnerability
Published: 5/14/2022Modified: 11/8/2023
Description
The UI daemon in Apache Storm 0.10.0-beta allows remote users to run arbitrary code as the user running the web server. With kerberos authentication this could allow impersonation of arbitrary users on other systems, including HDFS and HBase.
Affected packages (1)
- Maven/org.apache.storm:storm>= 0.10.0-beta, < 0.10.0-beta1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-3188
- WEBhttp://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html
- WEBhttps://github.com/apache/storm/blob/v0.10.0-beta1/SECURITY.md
- WEBhttps://github.com/apache/storm/blob/v0.10.0-beta1/STORM-UI-REST-API.md
- WEBhttps://web.archive.org/web/20151014213052/http://www.securitytracker.com/id/1032695
- WEBhttps://web.archive.org/web/20171202122914/http://www.securityfocus.com/archive/1/535804/100/0/threaded