In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.storm:storm-core(Maven) | 1.2.0 | 1.2.2 | N/A |
| org.apache.storm:storm-core(Maven) | 0 | 1.1.3 | N/A |
CVSS Metrics
