Information disclosure in Apache Storm

CVE-2019-0202

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not…

Vulnerability class: Information Disclosure

EPSS: 0.006 (71.0th percentile) — read the EPSS interpretation.

Affected products

Apache Storm — versions 0.9.1-incubating to 1.2.2

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

[storm-user] 20190724 [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability (mailing-list, x_refsource_MLIST)