In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Affected Packages

Maven org.apache.storm:storm-core

Affected versions: 1.2.0 (fixed in 1.2.2)

Maven org.apache.storm:storm-core

Affected versions: 0 (fixed in 1.1.3)

Related CVEs

CVE-2018-1331

Key Information

GHSA ID

GHSA-p8jx-x2vw-wm33

Published

October 17, 2018 7:48 PM

Last Modified

April 19, 2024 7:46 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.storm:storm-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.