CVE-2021-40865

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-40865

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40865.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-40865

Aliases

GHSA-w729-7633-2fw5

Downstream

OESA-2021-1415

Published

2021-10-25T13:15:08.140Z

Modified

2025-11-20T11:53:35.986272Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

References

Affected packages

Git / github.com/apache/storm

Affected ranges

Type: GIT
Repo: https://github.com/apache/storm
Events: Introduced

dba655a47aaad74f26b9bb9a75fa52c0eedd8b1e

Fixed

1bc944091b727e9a892bb36349231fcc57d9ea30

Affected versions

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40865.json"