{"url":"http://public2.vulnerablecode.io/api/packages/1005487?format=json","purl":"pkg:maven/org.apache.storm/storm-client@2.8.4","type":"maven","namespace":"org.apache.storm","name":"storm-client","version":"2.8.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.8.7","latest_non_vulnerable_version":"2.8.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80846?format=json","vulnerability_id":"VCID-du5r-hn2a-rfe1","summary":"Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41081","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34133","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34111","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33932","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34108","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41081"},{"reference_url":"https://github.com/apache/storm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/storm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41081","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41081"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/25/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/25/3"},{"reference_url":"https://github.com/advisories/GHSA-j2q8-xx3q-8fqh","reference_id":"GHSA-j2q8-xx3q-8fqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j2q8-xx3q-8fqh"},{"reference_url":"https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8","reference_id":"plxx5l29dvplk5rwzdcq53rdfl6v4gs8","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-27T14:42:46Z/"}],"url":"https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373535?format=json","purl":"pkg:maven/org.apache.storm/storm-client@2.8.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-client@2.8.7"}],"aliases":["CVE-2026-41081","GHSA-j2q8-xx3q-8fqh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-du5r-hn2a-rfe1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71559?format=json","vulnerability_id":"VCID-whh5-mqgr-1bc7","summary":"Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35337","reference_id":"","reference_type":"","scores":[{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.4191","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.419","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41726","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41891","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35337"},{"reference_url":"https://github.com/apache/storm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/storm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35337","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35337"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/12/6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/12/6"},{"reference_url":"https://github.com/advisories/GHSA-jf89-3q6q-vcgr","reference_id":"GHSA-jf89-3q6q-vcgr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf89-3q6q-vcgr"},{"reference_url":"https://storm.apache.org/2026/04/12/storm286-released.html","reference_id":"storm286-released.html","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-13T14:04:21Z/"}],"url":"https://storm.apache.org/2026/04/12/storm286-released.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373389?format=json","purl":"pkg:maven/org.apache.storm/storm-client@2.8.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-du5r-hn2a-rfe1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-client@2.8.6"}],"aliases":["CVE-2026-35337","GHSA-jf89-3q6q-vcgr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-whh5-mqgr-1bc7"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-client@2.8.4"}