A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

Affected Packages

Maven org.apache.storm:storm

Affected versions: 2.2.0 (fixed in 2.2.1)

Maven org.apache.storm:storm

Affected versions: 2.0.0 (fixed in 2.1.1)

Maven org.apache.storm:storm

Affected versions: 1.0.0 (fixed in 1.2.4)

Related CVEs

CVE-2021-38294

Key Information

GHSA ID

GHSA-6768-mcjc-8223

Published

October 27, 2021 6:51 PM

Last Modified

October 19, 2022 3:36 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.storm:storm

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.