Remote Code Execution (RCE) via Command Injection in Apache Storm's getTopologyHistory Service

Remote Code Execution (RCE) via Command Injection in Apache Storm's getTopologyHistory Service

CVE-2021-38294 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Learn more about our Cis Benchmark Audit For Apache Http Server.