CVE-2018-11779

Aliases:GHSA-25pc-85qf-6j69

Advisory lineage Upstream: 0 Downstream: 2

Downstream

SUSE-SU-2020:2876-1 SUSE-SU-2020:3309-1

Modified

Published: 25 Jul 2019, 23:23

Last modified:05 Aug 2024, 08:17

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.0 (nvd)

EPSS Score

1.47% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Jul 2019, 23:23

Published

Vulnerability first disclosed

05 Aug 2024, 08:17

Last Modified

Vulnerability information updated

Description

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

CVSS Metrics

v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.47%• Percentile: 81%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

apache•storm
≥ 1.1.0, ≤ 1.2.2 | 1.1.0 to 1.2.2
org.apache.storm•storm-kafka
≥ 1.1.0, < 1.2.3
org.apache.storm•storm-kafka-client
≥ 1.1.0, < 1.2.3