CVE-2021-38294

CVE-2021-38294: Shell Command Injection Vulnerability in Nimbus Thrift Server

Vendor Apache Software Foundation
Product Apache Storm
Weakness CWE-74
Published October 25, 2021
Last update August 4, 2024

CVSS base score

What the vulnerability does

01Description

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Key dates

02Disclosure timeline

October 25, 2021 CVE published
August 4, 2024 Record updated