WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-40865 Vulnerability in maven package org.apache.storm:storm-server

Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Remediation

References

https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E

https://seclists.org/oss-sec/2021/q4/45

Related Vulnerabilities

CVE-2021-23438 Vulnerability in npm package mpath

CVE-2022-26585 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2023-50481 Vulnerability in npm package blinksocks

CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-macro-html

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory