CVE-2019-0202
Aliases:GHSA-r9pv-hg64-jqrp
Advisory lineage Upstream: 0 Downstream: 2
Downstream
Modified
Published: 25 Jul 2019, 23:17
Last modified:04 Aug 2024, 17:44
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.0 (nvd)
EPSS Score
0.64% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 Jul 2019, 23:17
Published
Vulnerability first disclosed
04 Aug 2024, 17:44
Last Modified
Vulnerability information updated
Description
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.
CVSS Metrics
- v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.64%• Percentile: 71%
Techniques & Countermeasures
- CWE-532•Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Affected Systems
- apache•storm
≥ 0.9.3, ≤ 1.2.2 | 0.9.1:incubating | 0.9.2:incubating | 0.9.1-incubating to 1.2.2
- org.apache.storm•storm-core
≥ 0.9.1-incubating, < 1.2.3
References (4)
- https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-0202
- https://github.com/apache/storm
- https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E