CVE-2021-40865

Unsafe Pre-Authentication Deserialization In Workers

EPSS 65.6%CWE-502

Vexday Risk Score

15Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 65.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

25 out 2021Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Produtos afetados

Apache Software Foundation · Apache Storm

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E https://seclists.org/oss-sec/2021/q4/45