VulnerableCode Package Details - pkg:maven/org.apache.storm/storm-client@2.8.7

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-du5r-hn2a-rfe1	Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior	CVE-2026-41081 GHSA-j2q8-xx3q-8fqh

Vulnerability

Summary

Aliases

VCID-du5r-hn2a-rfe1

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior

CVE-2026-41081
GHSA-j2q8-xx3q-8fqh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:38.731972+00:00	GHSA Importer	Fixing	VCID-du5r-hn2a-rfe1	https://github.com/advisories/GHSA-j2q8-xx3q-8fqh	38.6.0
2026-06-12T22:14:07.409182+00:00	GitLab Importer	Fixing	VCID-du5r-hn2a-rfe1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.storm/storm-client/CVE-2026-41081.yml	38.6.0
2026-06-12T07:45:31.187452+00:00	GithubOSV Importer	Fixing	VCID-du5r-hn2a-rfe1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-j2q8-xx3q-8fqh/GHSA-j2q8-xx3q-8fqh.json	38.6.0