PT-2017-3167 · Apache · Apache Storm

Published

2017-10-30

Updated

2022-05-17

CVE-2014-0115

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Storm version 0.9.0.1

Description The issue is related to a directory traversal vulnerability in the log viewer of Apache Storm. This vulnerability allows remote attackers to read arbitrary files by using a .. (dot dot) in the file parameter to log. The vulnerability is caused by insufficient restrictions on the directory path name, which can be exploited by an attacker to access files outside the intended directory.

Recommendations For Apache Storm version 0.9.0.1, consider restricting access to the log viewer or disabling the feature until a patch is available. As a temporary workaround, avoid using the file parameter with .. (dot dot) sequences in the log viewer to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2017-02579

CVE-2014-0115

GHSA-CPP8-R8PR-WV4V

Affected Products

Apache Storm

PT-2017-3167 · Apache · Apache Storm

CVE-2014-0115

Weakness Enumeration

Related Identifiers

Affected Products

References · 7