Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user
High severity
GitHub Reviewed
Published
Oct 17, 2018
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
= 1.1.0
>= 1.0.0, < 1.0.4
Patched versions
1.1.1
1.0.4
Description
Published to the GitHub Advisory Database
Oct 17, 2018
Reviewed
Jun 16, 2020
Last updated
Jan 9, 2023
It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.
References