CVE-2015-3188
CRITICAL9.8EPSS 12.4%Apache Storm remote code execution vulnerability
發布日:2022/5/14修改日:2023/11/8
描述
The UI daemon in Apache Storm 0.10.0-beta allows remote users to run arbitrary code as the user running the web server. With kerberos authentication this could allow impersonation of arbitrary users on other systems, including HDFS and HBase.
受影響套件(1)
- Maven/org.apache.storm:storm>= 0.10.0-beta, < 0.10.0-beta1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-3188
- WEBhttp://packetstormsecurity.com/files/132417/Apache-Storm-0.10.0-beta-Code-Execution.html
- WEBhttps://github.com/apache/storm/blob/v0.10.0-beta1/SECURITY.md
- WEBhttps://github.com/apache/storm/blob/v0.10.0-beta1/STORM-UI-REST-API.md
- WEBhttps://web.archive.org/web/20151014213052/http://www.securitytracker.com/id/1032695
- WEBhttps://web.archive.org/web/20171202122914/http://www.securityfocus.com/archive/1/535804/100/0/threaded