Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-40865 Vulnerability in maven package org.apache.storm:storm-server

Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Remediation

References

https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E

https://seclists.org/oss-sec/2021/q4/45

Related Vulnerabilities

CVE-2019-10459 Vulnerability in maven package org.jenkins-ci.plugins:mattermost

CVE-2021-31805 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2022-45470 Vulnerability in maven package org.apache.hama:hama-core

CVE-2023-50730 Vulnerability in maven package org.typelevel:grackle-core_sjs1_3

CVE-2020-1938 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory