CVE-2021-40865

CVE-2021-40865: Unsafe Pre-Authentication Deserialization In Workers

Vendor Apache Software Foundation
Product Apache Storm
Weakness CWE-502 · Unsafe deserialization
Published October 25, 2021
Last update August 4, 2024

CVSS base score

What the vulnerability does

01Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Key dates

02Disclosure timeline

October 25, 2021 CVE published
August 4, 2024 Record updated