Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/41634?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41634?format=api", "vulnerability_id": "VCID-6gs5-dedd-2fey", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nA Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm and Apache Storm. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.", "aliases": [ { "alias": "CVE-2021-38294" }, { "alias": "GHSA-6768-mcjc-8223" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59406?format=api", "purl": "pkg:maven/org.apache.storm/storm@1.2.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm@1.2.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/140531?format=api", "purl": "pkg:maven/org.apache.storm/storm@2.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm@2.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/59405?format=api", "purl": "pkg:maven/org.apache.storm/storm@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/59396?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@1.2.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@1.2.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/59393?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@2.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@2.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/59394?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@2.2.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59389?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@1.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6gs5-dedd-2fey" }, { "vulnerability": "VCID-9pwb-7wmy-5yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@1.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/59390?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@2.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6gs5-dedd-2fey" }, { "vulnerability": "VCID-9pwb-7wmy-5yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@2.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/59391?format=api", "purl": "pkg:maven/org.apache.storm/storm-server@2.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6gs5-dedd-2fey" }, { "vulnerability": "VCID-9pwb-7wmy-5yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-server@2.2.0" } ], "references": [ { "reference_url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-38294", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.82064", "scoring_system": "epss", "scoring_elements": "0.99227", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-38294" }, { "reference_url": "https://github.com/apache/storm", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/storm" }, { "reference_url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E" }, { "reference_url": "https://seclists.org/oss-sec/2021/q4/44", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://seclists.org/oss-sec/2021/q4/44" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38294", "reference_id": "CVE-2021-38294", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38294" }, { "reference_url": "https://github.com/advisories/GHSA-6768-mcjc-8223", "reference_id": "GHSA-6768-mcjc-8223", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6768-mcjc-8223" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 78, "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "description": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 77, "name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')", "description": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component." }, { "cwe_id": 74, "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "description": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component." } ], "exploits": [ { "date_added": null, "description": "This module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm.\n The getTopologyHistory RPC method method takes a single argument which is the name of a user which is\n concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there\n must have been at least one topology submitted to the server. The topology may be active or inactive, but at\n least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm.\n\n This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0\n which is affected.", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nReliability:\n - repeatable-session\nSideEffects:\n - ioc-in-logs\n - artifacts-on-disk\n", "known_ransomware_campaign_use": false, "source_date_published": "2021-10-25", "exploit_type": null, "platform": "Linux,Unix", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb" } ], "severity_range_score": "9.0 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6gs5-dedd-2fey" }